|
91
|
- |
|
-
|
-
|
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
New
|
-
|
CVE-2026-5250
|
2026-04-18 08:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
92
|
4.3 |
MEDIUM
Network
|
-
|
-
|
Kimai is an open-source time tracking application. In versions 2.52.0 and below, the User Preferences API endpoint (PATCH /api/users/{id}/preferences) applies submitted preference values without chec…
New
|
CWE-915
Improperly Controlled Modification of Dynamically-Determined Object Attributes
|
CVE-2026-40486
|
2026-04-18 08:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
93
|
- |
|
-
|
-
|
monetr is a budgeting application for recurring expenses. In versions 1.12.3 and below, the public Stripe webhook endpoint buffers the entire request body into memory before validating the Stripe sig…
New
|
CWE-400
Uncontrolled Resource Consumption
|
CVE-2026-40481
|
2026-04-18 08:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
94
|
5.4 |
MEDIUM
Network
|
-
|
-
|
Kimai is an open-source time tracking application. In versions 1.16.3 through 2.52.0, the escapeForHtml() function in KimaiEscape.js does not escape double quote or single quote characters. When a us…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-40479
|
2026-04-18 08:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
95
|
6.4 |
MEDIUM
Network
|
-
|
-
|
The Pz-LinkCard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blogcard' shortcode attributes in all versions up to, and including, 2.5.8.1 due to insufficient input sanit…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-2434
|
2026-04-18 08:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
96
|
- |
|
-
|
-
|
miniupnpd contains an integer underflow vulnerability in SOAPAction header parsing that allows remote attackers to cause a denial of service or information disclosure by sending a malformed SOAPActio…
New
|
CWE-125
CWE-191
Out-of-bounds Read
Integer Underflow (Wrap or Wraparound)
|
CVE-2026-5720
|
2026-04-18 07:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
97
|
9.0 |
CRITICAL
Network
|
-
|
-
|
Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanism…
New
|
CWE-917
CWE-1336
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Improper Neutralization of Special Elements Used in a Template Engine
|
CVE-2026-40478
|
2026-04-18 07:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
98
|
9.0 |
CRITICAL
Network
|
-
|
-
|
Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. A…
New
|
CWE-917
CWE-1336
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Improper Neutralization of Special Elements Used in a Template Engine
|
CVE-2026-40477
|
2026-04-18 07:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
99
|
- |
|
-
|
-
|
graphql-go is a Go implementation of GraphQL. In versions 15.31.4 and below, the OverlappingFieldsCanBeMerged validation rule performs O(n²) pairwise comparisons of fields sharing the same response n…
New
|
CWE-407
Inefficient Algorithmic Complexity
|
CVE-2026-40476
|
2026-04-18 07:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
100
|
7.6 |
HIGH
Network
|
-
|
-
|
wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permission_required = 'config.change_gymconfig' but inherits WgerFormMixin instead…
New
|
CWE-284
CWE-862
Improper Access Control
Missing Authorization
|
CVE-2026-40474
|
2026-04-18 07:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
