|
61
|
6.1 |
MEDIUM
Network
|
-
|
-
|
The Hostel plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode_id' parameter in all versions up to, and including, 1.1.6 due to insufficient input sanitization and…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-1838
|
2026-04-18 11:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
62
|
6.4 |
MEDIUM
Network
|
-
|
-
|
The Youzify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'checkin_place_id' parameter in all versions up to, and including, 1.3.6 due to insufficient input sanitization a…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-1559
|
2026-04-18 11:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
63
|
9.0 |
CRITICAL
Local
|
-
|
-
|
NovumOS is a custom 32-bit operating system written in Zig and x86 Assembly. In versions prior to 0.24, Syscall 15 (MemoryMapRange) allows Ring 3 user-mode processes to map arbitrary virtual address …
New
|
CWE-269
Improper Privilege Management
|
CVE-2026-40572
|
2026-04-18 10:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
64
|
8.8 |
HIGH
Network
|
-
|
-
|
Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can access the user-management endpoints `/settings/users` and use t…
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-40350
|
2026-04-18 10:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
65
|
9.3 |
CRITICAL
Local
|
-
|
-
|
NovumOS is a custom 32-bit operating system written in Zig and x86 Assembly. In versions prior to 0.24, Syscall 12 (JumpToUser) accepts an arbitrary entry point address from user-space registers with…
New
|
CWE-20
CWE-269
Improper Input Validation
Improper Privilege Management
|
CVE-2026-40317
|
2026-04-18 10:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
66
|
7.5 |
HIGH
Network
|
-
|
-
|
SecureDrop Client is a desktop app for journalists to securely communicate with sources and handle submissions on the SecureDrop Workstation. In versions 0.17.4 and below, a compromised SecureDrop Se…
New
|
CWE-36
CWE-73
Absolute Path Traversal
External Control of File Name or Path
|
CVE-2026-35465
|
2026-04-18 10:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
67
|
4.8 |
MEDIUM
Network
|
-
|
-
|
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the User Editor (UserEditor.php) renders stored usernames directly into an HTML input value attribute without applyin…
New
|
CWE-79
CWE-116
Cross-site Scripting
Improper Encoding or Escaping of Output
|
CVE-2026-40593
|
2026-04-18 09:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
68
|
- |
|
-
|
-
|
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/user/login endpoint validates only the username and password before returning the user's API key, byp…
New
|
CWE-288
CWE-305
Authentication Bypass Using an Alternate Path or Channel
Authentication Bypass by Primary Weakness
|
CVE-2026-40582
|
2026-04-18 09:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
69
|
8.1 |
HIGH
Network
|
-
|
-
|
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the family record deletion endpoint (SelectDelete.php) performs permanent, irreversible deletion of family records an…
New
|
CWE-352
CWE-862
Origin Validation Error
Missing Authorization
|
CVE-2026-40581
|
2026-04-18 09:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
70
|
5.3 |
MEDIUM
Network
|
-
|
-
|
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the public API login endpoint (/api/public/user/login) returns distinguishable HTTP response codes based on whether a…
New
|
CWE-204
CWE-307
Response Discrepancy Information Exposure
mproper Restriction of Excessive Authentication Attempts
|
CVE-2026-40485
|
2026-04-18 09:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
