| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-40613 | Coturn: Misaligned Memory Access in coturn STUN Attribute Parser (Remote DoS on ARM64) | coturn | coturn | High | 7.5 | 2026-04-21 18:00:53 | Deep Dive |
| CVE-2026-6744 | Bagisto Downloadable Link copy server-side request forgery | - | Bagisto | Medium | 6.3 | 2026-04-21 18:00:18 | Deep Dive |
| CVE-2026-40611 | Lego: Arbitrary File Write via Path Traversal in Webroot HTTP-01 Provider | go-acme | lego | High | 8.8 | 2026-04-21 17:58:35 | Deep Dive |
| CVE-2026-40608 | Next AI Draw.io: Unbounded HTTP Body — Denial of Service | DayuanJiang | next-ai-draw-io | Medium | 6.2 | 2026-04-21 17:56:35 | Deep Dive |
| CVE-2026-40606 | ProxyAuth Addon LDAP Injection in mitmproxy | mitmproxy | mitmproxy | Medium | 4.8 | 2026-04-21 17:43:21 | Deep Dive |
| CVE-2026-40604 | ClearanceKit: opfilter system extension can be suspended or signalled by a root process, disabling file-access policy enforcement | craigjbass | clearancekit | - | - | 2026-04-21 17:41:54 | Deep Dive |
| CVE-2026-40602 | hass-cli: Handling of user-supplied Jinja2 templates | home-assistant-ecosystem | home-assistant-cli | Medium | 5.6 | 2026-04-21 17:40:10 | Deep Dive |
| CVE-2026-40599 | ClearanceKit: Ad-hoc signed binaries can spoof Apple process identities in the global allowlist | craigjbass | clearancekit | - | - | 2026-04-21 17:37:05 | Deep Dive |
| CVE-2026-41194 | FreeScout's Mailbox OAuth disconnect uses a state-changing GET and is CSRFable | freescout-help-desk | freescout | Medium | 5.4 | 2026-04-21 17:16:50 | Deep Dive |
| CVE-2026-41193 | FreeScout has Zip Slip path traversal in module installation that allows arbitrary file write leading to RCE | freescout-help-desk | freescout | Critical | 9.1 | 2026-04-21 17:15:26 | Deep Dive |
| CVE-2026-40594 | pyLoad: Session Cookie Security Downgrade via Untrusted X-Forwarded-Proto Header Spoofing (Global State Race Condition) | pyload | pyload | Medium | 4.8 | 2026-04-21 17:14:04 | Deep Dive |
| CVE-2026-41192 | FreeScout's client-controlled attachment IDs allow deletion of existing conversation attachments | freescout-help-desk | freescout | High | 7.1 | 2026-04-21 17:12:43 | Deep Dive |
| CVE-2026-40588 | blueprintUE: Authenticated Password Change Does Not Verify Current Password | blueprintue | blueprintue-self-hosted-edition | High | 8.1 | 2026-04-21 17:12:09 | Deep Dive |
| CVE-2026-40587 | blueprintUE: Active Sessions Are Not Invalidated After Password Change or Reset | blueprintue | blueprintue-self-hosted-edition | Medium | 6.5 | 2026-04-21 17:11:24 | Deep Dive |
| CVE-2026-40586 | blueprintUE: Login Endpoint Has No Rate Limiting, Lockout, or Brute-Force Protection | blueprintue | blueprintue-self-hosted-edition | High | 7.5 | 2026-04-21 17:10:05 | Deep Dive |
| CVE-2026-41191 | FreeScout's signature only mailbox permission allows unauthorized mailbox chat setting changes | freescout-help-desk | freescout | High | 7.1 | 2026-04-21 17:09:26 | Deep Dive |
| CVE-2026-40585 | blueprintUE: Password Reset Tokens Have No Expiry Window | blueprintue | blueprintue-self-hosted-edition | High | 7.4 | 2026-04-21 17:09:18 | Deep Dive |
| CVE-2026-41190 | FreeScout has assigned-only visibility bypass via save_draft that allows hidden conversation draft injection | freescout-help-desk | freescout | High | 7.1 | 2026-04-21 17:06:32 | Deep Dive |
| CVE-2026-40584 | RansomLook - Improper Filtering of Private Location Entries in API Endpoints Leads to Information Exposure | RansomLook | RansomLook | - | - | 2026-04-21 17:05:25 | Deep Dive |
| CVE-2026-41189 | FreeScout has assigned-only visibility bypass that allows editing hidden customer-authored threads | freescout-help-desk | freescout | High | 7.1 | 2026-04-21 17:04:07 | Deep Dive |