| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-21997 | Oracle Life Sciences Empirica Signal 安全漏洞 | Oracle Corporation | Oracle Life Sciences Empirica Signal | High | 8.5 | 2026-04-21 20:34:59 | Deep Dive |
| CVE-2026-21998 | Oracle MySQL Server 安全漏洞 | Oracle Corporation | MySQL Server | Medium | 4.9 | 2026-04-21 20:34:59 | Deep Dive |
| CVE-2026-6796 | Sanluan PublicCMS Failed Login LoginAdminController.java log_login cleartext storage in file | Sanluan | PublicCMS | Medium | 4.3 | 2026-04-21 20:30:19 | Deep Dive |
| CVE-2026-40910 | frp: Authentication bypass in frp HTTP vhost routing when routeByHTTPUser is used for access control | fatedier | frp | Medium | 6.5 | 2026-04-21 20:09:01 | Deep Dive |
| CVE-2026-40906 | Electric: SQL Injection via ORDER BY Parameter in Shape API | electric-sql | electric | Critical | 9.9 | 2026-04-21 20:05:52 | Deep Dive |
| CVE-2026-40905 | LinkAce: Password Reset Poisoning via X-Forwarded-Host Header Injection Leading to Account Takeover | Kovah | LinkAce | High | 8.1 | 2026-04-21 20:02:35 | Deep Dive |
| CVE-2026-40895 | follow-redirects: Custom Authentication Headers Leaked to Cross-Domain Redirect Targets | follow-redirects | follow-redirects | - | - | 2026-04-21 20:00:00 | Deep Dive |
| CVE-2026-40925 | WWBN AVideo has CSRF in configurationUpdate.json.php Enables Full Site Configuration Takeover Including Encoder URL and SMTP Credentials | WWBN | AVideo | High | 8.3 | 2026-04-21 19:58:30 | Deep Dive |
| CVE-2026-40911 | WWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaScript Execution via Client-Side eval() Sinks | WWBN | AVideo | Critical | 10.0 | 2026-04-21 19:55:37 | Deep Dive |
| CVE-2026-40892 | PJSIP: Stack buffer overflow in pjsip_auth_create_digest2() | pjsip | pjproject | - | - | 2026-04-21 19:55:27 | Deep Dive |
| CVE-2026-40909 | WWBN AVideo has a Path Traversal in Locale Save Endpoint that Enables Arbitrary PHP File Write to Any Web-Accessible Directory (RCE) | WWBN | AVideo | High | 8.7 | 2026-04-21 19:54:07 | Deep Dive |
| CVE-2026-40908 | WWBN AVideo has an Unauthenticated Information Disclosure via git.json.php that Exposes Developer Emails and Deployed Version | WWBN | AVideo | Medium | 5.3 | 2026-04-21 19:52:34 | Deep Dive |
| CVE-2026-40890 | github.com/gomarkdown/markdown: Out-of-bounds Read in SmartypantsRenderer | gomarkdown | markdown | High | 7.5 | 2026-04-21 19:51:53 | Deep Dive |
| CVE-2026-40907 | WWBN AVideo has IDOR in Live Restreams list.json.php that Exposes Other Users' Stream Keys and OAuth Tokens | WWBN | AVideo | Medium | 6.5 | 2026-04-21 19:50:10 | Deep Dive |
| CVE-2026-40903 | Goshs - ArtiPACKED Vulnerability – GitHub Actions Credential Persistence | patrickhener | goshs | Critical | 9.1 | 2026-04-21 19:43:36 | Deep Dive |
| CVE-2026-6819 | HKUDS OpenHarness Plugin Management Command Exposure | HKUDS | OpenHarness | High | 8.8 | 2026-04-21 19:41:16 | Deep Dive |
| CVE-2026-40885 | goshs: Public collaborator feed leaks .goshs ACL credentials and enables unauthorized access | patrickhener | goshs | - | - | 2026-04-21 19:40:37 | Deep Dive |
| CVE-2026-40884 | goshs: Empty-username SFTP password authentication bypass in goshs | patrickhener | goshs | Critical | 9.8 | 2026-04-21 19:39:26 | Deep Dive |
| CVE-2026-40883 | goshs: CSRF in state-changing GET routes enables authenticated file deletion and directory creation | patrickhener | goshs | - | - | 2026-04-21 19:35:38 | Deep Dive |
| CVE-2026-40876 | SFTP root escape via prefix-based path validation in goshs | patrickhener | goshs | - | - | 2026-04-21 19:34:20 | Deep Dive |