| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-40895 | follow-redirects: Custom Authentication Headers Leaked to Cross-Domain Redirect Targets | follow-redirects | follow-redirects | - | - | 2026-04-21 20:00:00 | Deep Dive |
| CVE-2026-40925 | WWBN AVideo has CSRF in configurationUpdate.json.php Enables Full Site Configuration Takeover Including Encoder URL and SMTP Credentials | WWBN | AVideo | High | 8.3 | 2026-04-21 19:58:30 | Deep Dive |
| CVE-2026-40911 | WWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaScript Execution via Client-Side eval() Sinks | WWBN | AVideo | Critical | 10.0 | 2026-04-21 19:55:37 | Deep Dive |
| CVE-2026-40892 | PJSIP: Stack buffer overflow in pjsip_auth_create_digest2() | pjsip | pjproject | - | - | 2026-04-21 19:55:27 | Deep Dive |
| CVE-2026-40909 | WWBN AVideo has a Path Traversal in Locale Save Endpoint that Enables Arbitrary PHP File Write to Any Web-Accessible Directory (RCE) | WWBN | AVideo | High | 8.7 | 2026-04-21 19:54:07 | Deep Dive |
| CVE-2026-40908 | WWBN AVideo has an Unauthenticated Information Disclosure via git.json.php that Exposes Developer Emails and Deployed Version | WWBN | AVideo | Medium | 5.3 | 2026-04-21 19:52:34 | Deep Dive |
| CVE-2026-40890 | github.com/gomarkdown/markdown: Out-of-bounds Read in SmartypantsRenderer | gomarkdown | markdown | High | 7.5 | 2026-04-21 19:51:53 | Deep Dive |
| CVE-2026-40907 | WWBN AVideo has IDOR in Live Restreams list.json.php that Exposes Other Users' Stream Keys and OAuth Tokens | WWBN | AVideo | Medium | 6.5 | 2026-04-21 19:50:10 | Deep Dive |
| CVE-2026-40903 | Goshs - ArtiPACKED Vulnerability – GitHub Actions Credential Persistence | patrickhener | goshs | Critical | 9.1 | 2026-04-21 19:43:36 | Deep Dive |
| CVE-2026-6819 | HKUDS OpenHarness Plugin Management Command Exposure | HKUDS | OpenHarness | High | 8.8 | 2026-04-21 19:41:16 | Deep Dive |
| CVE-2026-40885 | goshs: Public collaborator feed leaks .goshs ACL credentials and enables unauthorized access | patrickhener | goshs | - | - | 2026-04-21 19:40:37 | Deep Dive |
| CVE-2026-40884 | goshs: Empty-username SFTP password authentication bypass in goshs | patrickhener | goshs | Critical | 9.8 | 2026-04-21 19:39:26 | Deep Dive |
| CVE-2026-40883 | goshs: CSRF in state-changing GET routes enables authenticated file deletion and directory creation | patrickhener | goshs | - | - | 2026-04-21 19:35:38 | Deep Dive |
| CVE-2026-40876 | SFTP root escape via prefix-based path validation in goshs | patrickhener | goshs | - | - | 2026-04-21 19:34:20 | Deep Dive |
| CVE-2026-41320 | Frappe HR has possibility of SQL Injection due to improper field sanitization | frappe | hrms | Medium | 6.5 | 2026-04-21 19:34:17 | Deep Dive |
| CVE-2026-40889 | Frappe HR has Improper Access Control on Files | frappe | hrms | Medium | 6.5 | 2026-04-21 19:32:52 | Deep Dive |
| CVE-2026-40888 | Frappe HR vulnerable to Improper Access Control | frappe | hrms | - | - | 2026-04-21 19:28:29 | Deep Dive |
| CVE-2026-40887 | @vendure/core has a SQL Injection vulnerability | vendurehq | vendure | Critical | 9.1 | 2026-04-21 19:25:00 | Deep Dive |
| CVE-2026-40878 | mailcow-dockerized Login Page has Reflected Parameter Injection / Wrong-Context XSS Escaping | mailcow | mailcow-dockerized | - | - | 2026-04-21 19:21:57 | Deep Dive |
| CVE-2026-33812 | Excessive memory allocation when decoding malicious SFNT in golang.org/x/image | golang.org/x/image | golang.org/x/image/font/sfnt | - | - | 2026-04-21 19:21:29 | Deep Dive |