|
71
|
9.1 |
CRITICAL
Network
|
-
|
-
|
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the database backup restore functionality extracts uploaded archive contents and copies files from the Images/ direct…
New
|
CWE-269
CWE-434
CWE-552
Improper Privilege Management
Unrestricted Upload of File with Dangerous Type
Files or Directories Accessible to External Parties
|
CVE-2026-40484
|
2026-04-18 09:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
72
|
5.4 |
MEDIUM
Network
|
-
|
-
|
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the Pledge Editor renders donation comment values directly into HTML input value attributes without escaping via html…
New
|
CWE-79
CWE-116
Cross-site Scripting
Improper Encoding or Escaping of Output
|
CVE-2026-40483
|
2026-04-18 09:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
73
|
- |
|
-
|
-
|
ChurchCRM is an open-source church management system. Versions prior to 7.2.0 have SQL injection in FinancialService::getMemberByScanString() via unsanitized $routeAndAccount concatenated into raw SQ…
New
|
CWE-89
SQL Injection
|
CVE-2026-40482
|
2026-04-18 09:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
74
|
- |
|
-
|
-
|
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the GET /api/person/{personId} endpoint loads and returns person records without performing object-level authorizatio…
New
|
CWE-639
CWE-862
Authorization Bypass Through User-Controlled Key
Missing Authorization
|
CVE-2026-40480
|
2026-04-18 09:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
75
|
8.8 |
HIGH
Network
|
-
|
-
|
Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can escalate their own account to administrator by sending `isAdmin=…
New
|
CWE-862
Missing Authorization
|
CVE-2026-40349
|
2026-04-18 09:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
76
|
7.7 |
HIGH
Network
|
-
|
-
|
Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can trigger server-side requests to arbitrary internal targets throu…
New
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-40348
|
2026-04-18 09:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
77
|
5.3 |
MEDIUM
Network
|
-
|
-
|
Python-Multipart is a streaming multipart parser for Python. Versions prior to 0.0.26 have a denial of service vulnerability when parsing crafted `multipart/form-data` requests with large preamble or…
New
|
CWE-400
CWE-834
Uncontrolled Resource Consumption
Excessive Iteration
|
CVE-2026-40347
|
2026-04-18 09:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
78
|
- |
|
-
|
-
|
NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.37, NocoBase's workflow HTTP request plugin and custom request ac…
New
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-40346
|
2026-04-18 09:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
79
|
3.5 |
LOW
Physics
|
-
|
-
|
libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, an out of bound read in ptp_unpack_EOS_FocusInfoEx could be used to crash libgphoto2 when processing input f…
New
|
CWE-126
Buffer Over-read
|
CVE-2026-40341
|
2026-04-18 09:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
80
|
6.1 |
MEDIUM
Physics
|
-
|
-
|
libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have an out-of-bounds read vulnerability in `ptp_unpack_OI()` in `camlibs/ptp2/ptp-pack.c` (lines 530–563). The …
New
|
CWE-125
Out-of-bounds Read
|
CVE-2026-40340
|
2026-04-18 09:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
