|
331
|
9.0 |
CRITICAL
Network
|
craftycontrol
|
crafty_controller
|
An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform user modification actions via improper API permiss…
Update
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-5652
|
2026-04-28 04:47 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
332
|
4.8 |
MEDIUM
Network
|
pyload-ng_project
|
pyload-ng
|
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev98, the set_session_cookie_secure before_request handler in src/pyload/webui/app/__init__.py reads the X-Forwa…
Update
|
CWE-346
Origin Validation Error
|
CVE-2026-40594
|
2026-04-28 04:43 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
333
|
5.6 |
MEDIUM
Local
|
home-assistant-ecosystem
|
home_assistant_command-line_interface
|
The Home Assistant Command-line interface (hass-cli) is a command-line tool for Home Assistant. Up to 1.0.0 of home-assitant-cli an unrestricted environment was used to handle Jninja2 templates inste…
Update
|
CWE-94
CWE-1336
Code Injection
Improper Neutralization of Special Elements Used in a Template Engine
|
CVE-2026-40602
|
2026-04-28 04:43 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
334
|
5.5 |
MEDIUM
Local
|
dayuanjiang
|
next_ai_draw.io
|
Next AI Draw.io is a next.js web application that integrates AI capabilities with draw.io diagrams. Prior to 0.4.15, the embedded HTTP sidecar contains three POST handlers (/api/state, /api/restore, …
Update
|
CWE-770
Allocation of Resources Without Limits or Throttling
|
CVE-2026-40608
|
2026-04-28 04:41 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
335
|
8.1 |
HIGH
Network
|
kyverno
|
kyverno
|
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 1.16.4, kyverno’s apiCall servicecall helper implicitly injects Authorization: Bearer ... using the kyverno c…
Update
|
CWE-922
Insecure Storage of Sensitive Information
|
CVE-2026-40868
|
2026-04-28 04:41 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
336
|
9.9 |
CRITICAL
Network
|
microsoft
|
azure_iot_central
|
Exposure of sensitive information to an unauthorized actor in Azure IOT Central allows an authorized attacker to elevate privileges over a network.
Update
|
CWE-200
Information Exposure
|
CVE-2026-21515
|
2026-04-28 04:41 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
337
|
6.5 |
MEDIUM
Network
|
frappe
|
frappe_hr
|
Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticated user with default role can access unauthorized information by exploiting…
Update
|
CWE-284
Improper Access Control
|
CVE-2026-40888
|
2026-04-28 04:39 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
338
|
6.5 |
MEDIUM
Network
|
frappe
|
frappe_hr
|
Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.2 and 16.4.2, authenticated users can access unauthorized files by exploiting certain api endpoint. Ver…
Update
|
CWE-284
Improper Access Control
|
CVE-2026-40889
|
2026-04-28 04:39 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
339
|
6.5 |
MEDIUM
Network
|
frappe
|
frappe_hr
|
Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.54.0 and 14.38.1, a specially crafted request made to a certain endpoint could result in SQL injection, al…
Update
|
CWE-89
SQL Injection
|
CVE-2026-41320
|
2026-04-28 04:38 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
340
|
6.5 |
MEDIUM
Network
|
pypdf_project
|
pypdf
|
pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to the RAM being exhausted. This requires…
Update
|
CWE-789
Memory Allocation with Excessive Size Value
|
CVE-2026-41312
|
2026-04-28 04:31 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
