|
671
|
8.8 |
HIGH
Network
|
dolibarr
|
dolibarr_erp\/crm
|
In the Website module of Dolibarr ERP & CRM 22.0.4 and below, the application uses blacklist-based filtering to restrict dangerous PHP functions related to system command execution. An authenticated …
New
|
CWE-78
OS Command
|
CVE-2026-31019
|
2026-04-24 01:10 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
672
|
8.8 |
HIGH
Network
|
pjsip
|
pjsip
|
PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is a buffer overflow when decoding Opus audio frames due to insufficient buffer size validati…
New
|
CWE-122
Heap-based Buffer Overflow
|
CVE-2026-40614
|
2026-04-24 01:09 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
673
|
6.5 |
MEDIUM
Network
|
decidim
|
decidim
|
Decidim is a participatory democracy framework. Starting in version 0.19.0 and prior to versions 0.30.5 and 0.31.1, a vulnerability allows any registered and authenticated user to accept or reject an…
New
|
CWE-266
Incorrect Privilege Assignment
|
CVE-2026-40869
|
2026-04-24 01:08 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
674
|
9.8 |
CRITICAL
Network
|
pjsip
|
pjsip
|
PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, a stack buffer overflow exists in pjsip_auth_create_digest2() in PJSIP when using pre-computed dige…
New
|
CWE-121
Stack-based Buffer Overflow
|
CVE-2026-40892
|
2026-04-24 01:07 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
675
|
8.1 |
HIGH
Network
|
wwbn
|
avideo
|
WWBN AVideo is an open source video platform. In versions 29.0 and below, the `allowOrigin($allowAll=true)` function in `objects/functions.php` reflects any arbitrary `Origin` header back in `Access-…
New
|
CWE-942
Permissive Cross-domain Policy with Untrusted Domains
|
CVE-2026-41056
|
2026-04-24 01:05 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
676
|
5.3 |
MEDIUM
Network
|
wwbn
|
avideo
|
WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete SSRF fix in AVideo's LiveLinks proxy adds `isSSRFSafeURL()` validation but leaves DNS TOCTOU vulnerabilities wh…
New
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-41055
|
2026-04-24 00:59 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
677
|
7.5 |
HIGH
Network
|
follow-redirects_project
|
follow-redirects
|
follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redire…
New
|
CWE-200
NVD-CWE-noinfo
Information Exposure
|
CVE-2026-40895
|
2026-04-24 00:54 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
678
|
5.4 |
MEDIUM
Network
|
docmost
|
docmost
|
Docmost is open-source collaborative wiki and documentation software. Prior to 0.80.0, when leaving a comment on a page, it is possible to include a JavaScript URI as the link. When a user clicks on …
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-40927
|
2026-04-24 00:50 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
679
|
5.3 |
MEDIUM
Network
|
wwbn
|
avideo
|
WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/getCaptcha.php` accepts the CAPTCHA length (`ql`) directly from the query string with no clamping or sanitization, l…
New
|
CWE-804
Guessable CAPTCHA
|
CVE-2026-40935
|
2026-04-24 00:50 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
680
|
7.8 |
HIGH
Local
|
node-modules
|
compressing
|
Compressing is a compressing and uncompressing lib for node. Prior to 2.1.1 and 1.10.5, the patch for CVE-2026-24884 relies on a purely logical string validation within the isPathWithinParent utility…
New
|
CWE-59
Link Following
|
CVE-2026-40931
|
2026-04-24 00:49 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
