|
1661
|
8.8 |
HIGH
Network
|
mrsilaz
|
mfa_mail
|
La extensión no restablece correctamente el código MFA generado después de una autenticación exitosa. Esto conduce a una posible omisión de MFA para futuros intentos de inicio de sesión al proporcion…
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-4208
|
2026-04-26 03:43 |
2026-03-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1662
|
4.3 |
MEDIUM
Network
|
ayacoo
|
redirect_tab
|
The extension fails to verify, if an authenticated user has permissions to access to redirects resulting in exposure of redirect records when editing a page.
|
CWE-200
CWE-862
Information Exposure
Missing Authorization
|
CVE-2026-4202
|
2026-04-26 03:40 |
2026-03-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1663
|
4.3 |
MEDIUM
Network
|
ayacoo
|
redirect_tab
|
La extensión falla al verificar si un usuario autenticado tiene permisos para acceder a las redirecciones, resultando en la exposición de registros de redirección al editar una página.
|
CWE-200
CWE-862
Information Exposure
Missing Authorization
|
CVE-2026-4202
|
2026-04-26 03:40 |
2026-03-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1664
|
8.8 |
HIGH
Network
|
cps-it
|
mailqueue
|
The extension fails to properly define allowed classes used when deserializing transport failure metadata. An attacker may exploit this to execute untrusted serialized code. Note that an active explo…
|
CWE-502
Deserialization of Untrusted Data
|
CVE-2026-1323
|
2026-04-26 03:37 |
2026-03-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1665
|
8.8 |
HIGH
Network
|
cps-it
|
mailqueue
|
La extensión no define correctamente las clases permitidas utilizadas al deserializar metadatos de fallo de transporte. Un atacante puede explotar esto para ejecutar código serializado no confiable. …
|
CWE-502
Deserialization of Untrusted Data
|
CVE-2026-1323
|
2026-04-26 03:37 |
2026-03-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1666
|
9.4 |
CRITICAL
Network
|
dgraph
|
dgraph
|
Dgraph is an open source distributed GraphQL database. Versions 25.3.1 and prior contain an unauthenticated credential disclosure vulnerability where the /debug/pprof/cmdline endpoint is registered o…
|
CWE-200
CWE-215
CWE-522
Information Exposure
Insertion of Sensitive Information Into Debugging Code
Insufficiently Protected Credentials
|
CVE-2026-40173
|
2026-04-26 03:27 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1667
|
7.8 |
HIGH
Local
|
getcomposer
|
composer
|
Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::generateP4Command() method, which constructs she…
|
CWE-20
CWE-78
Improper Input Validation
OS Command
|
CVE-2026-40176
|
2026-04-26 03:24 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1668
|
6.1 |
MEDIUM
Network
|
apostrophecms
|
apostrophecms
sanitize-html
|
ApostropheCMS is an open-source Node.js content management system. A regression introduced in commit 49d0bb7, included in versions 2.17.1 of the ApostropheCMS-maintained sanitize-html package bypasse…
|
CWE-79
Cross-site Scripting
|
CVE-2026-40186
|
2026-04-26 03:15 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1669
|
8.8 |
HIGH
Network
|
getcomposer
|
composer
|
Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::syncCodeBase() method, which appends the $source…
|
CWE-20
CWE-78
Improper Input Validation
OS Command
|
CVE-2026-40261
|
2026-04-26 03:12 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1670
|
8.1 |
HIGH
Network
|
hashicorp
|
vault
|
An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulne…
|
CWE-288
Authentication Bypass Using an Alternate Path or Channel
|
CVE-2026-3605
|
2026-04-26 03:08 |
2026-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
