CVE-2026-4332 - GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that, in customizable analytics dashboards, could have allowed an authenticated user to execute arbitrary Java... read CVE-2026-4332
Published: April 08, 2026; 7:16:59 PM -0400

CVE-2026-4916 - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user with custom role permissions to demote or remove higher-privi... read CVE-2026-4916
Published: April 08, 2026; 7:17:00 PM -0400

CVE-2026-34850 - Race condition vulnerability in the notification service. Impact: Successful exploitation of this vulnerability may affect availability.
Published: April 13, 2026; 12:16:07 AM -0400

V3.1: 5.9 MEDIUM

CVE-2026-34851 - Race condition vulnerability in the event notification module. Impact: Successful exploitation of this vulnerability may affect availability.
Published: April 13, 2026; 12:16:11 AM -0400

V3.1: 7.5 HIGH

CVE-2026-34852 - Stack overflow vulnerability in the media platform. Impact: Successful exploitation of this vulnerability may affect availability.
Published: April 13, 2026; 12:16:11 AM -0400

V3.1: 6.5 MEDIUM

CVE-2026-34853 - Permission bypass vulnerability in the LBS module. Impact: Successful exploitation of this vulnerability may affect availability.
Published: April 13, 2026; 12:16:12 AM -0400

V3.1: 7.5 HIGH

CVE-2026-34856 - UAF vulnerability in the communication module. Impact: Successful exploitation of this vulnerability may affect availability.
Published: April 13, 2026; 12:16:12 AM -0400

V3.1: 7.5 HIGH

CVE-2026-34860 - Access control vulnerability in the memo module. Impact: Successful exploitation of this vulnerability will affect availability and confidentiality.
Published: April 13, 2026; 12:16:12 AM -0400

V3.1: 6.5 MEDIUM

CVE-2026-35444 - SDL_image is a library to load images of various formats as SDL surfaces. In do_layer_surface() in src/IMG_xcf.c, pixel index values from decoded XCF tile data are used directly as colormap indices without validating them against the colormap size... read CVE-2026-35444
Published: April 06, 2026; 6:16:23 PM -0400

V3.1: 6.1 MEDIUM

CVE-2026-35404 - Open edX Platform enables the authoring and delivery of online learning at any scale. he view_survey endpoint accepts a redirect_url GET parameter that is passed directly to HttpResponseRedirect() without any URL validation. When a non-existent su... read CVE-2026-35404
Published: April 06, 2026; 6:16:21 PM -0400

V3.1: 6.1 MEDIUM

CVE-2026-35184 - EcclesiaCRM is CRM Software for church management. Prior to 8.0.0, there is a SQL injection vulnerability in v2/templates/query/queryview.php via the custom and value parameters. This vulnerability is fixed in 8.0.0.
Published: April 06, 2026; 4:16:26 PM -0400

V3.1: 9.8 CRITICAL

CVE-2026-35406 - Aardvark-dns is an authoritative dns server for A/AAAA container records. From 1.16.0 to 1.17.0, a truncated TCP DNS query followed by a connection reset causes aardvark-dns to enter an unrecoverable infinite error loop at 100% CPU. This vulnerabi... read CVE-2026-35406
Published: April 07, 2026; 6:16:23 PM -0400

V3.1: 7.5 HIGH

CVE-2026-39846 - SiYuan is a personal knowledge management system. Prior to 3.6.4, a malicious note synced to another user can trigger remote code execution in the SiYuan Electron desktop client. The root cause is that table caption content is stored without safe ... read CVE-2026-39846
Published: April 07, 2026; 6:16:23 PM -0400

V3.1: 9.0 CRITICAL

CVE-2026-39847 - Emmett is a full-stack Python web framework designed with simplicity. From 2.5.0 to before 2.8.1, the RSGI static handler for Emmett's internal assets (/__emmett__ paths) is vulnerable to path traversal attacks. An attacker can use ../ sequences (... read CVE-2026-39847
Published: April 07, 2026; 6:16:23 PM -0400

V3.1: 7.5 HIGH

CVE-2026-22731 - Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path... read CVE-2026-22731
Published: March 19, 2026; 7:16:41 PM -0400

V3.1: 8.1 HIGH

CVE-2026-22732 - When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.  This issue affects Spring Security Servlet applications using lazy (default) writi... read CVE-2026-22732
Published: March 19, 2026; 7:16:41 PM -0400

CVE-2026-35213 - @hapi/content provided HTTP Content-* headers parsing. All versions of @hapi/content through 6.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via crafted HTTP header values. Three regular expressions used to parse Content-Type ... read CVE-2026-35213
Published: April 06, 2026; 5:16:20 PM -0400

V3.1: 7.5 HIGH

CVE-2026-35208 - lichess.org is the forever free, adless and open source chess server. Any approved streamer can inject arbitrary HTML into /streamer and the homepage “Live streams” widget by placing markup in their Twitch/YouTube stream title. CSP is present and ... read CVE-2026-35208
Published: April 06, 2026; 5:16:20 PM -0400

V3.1: 5.4 MEDIUM

CVE-2026-35203 - ZLMediaKit is a streaming media service framework. the VP9 RTP payload parser in ext-codec/VP9Rtp.cpp reads multiple fields from the RTP payload based on flag bits in the first byte, without verifying that sufficient data exists in the buffer. A c... read CVE-2026-35203
Published: April 06, 2026; 4:16:28 PM -0400

V3.1: 7.5 HIGH

CVE-2026-35201 - Discount is an implementation of John Gruber's Markdown markup language in C. From 1.3.1.1 to before 2.2.7.4, a signed length truncation bug causes an out-of-bounds read in the default Markdown parse path. Inputs larger than INT_MAX are truncated ... read CVE-2026-35201
Published: April 06, 2026; 4:16:27 PM -0400