| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-31369 | Privilege Bypass in PcManager | Honor | PcManager | Low | 3.2 | 2026-04-21 06:26:52 | Deep Dive |
| CVE-2026-5965 | NewSoft|NewSoftOA - OS Command Injection | NewSoft | NewSoftOA | Critical | 9.8 | 2026-04-21 03:32:55 | Deep Dive |
| CVE-2026-6674 | Plugin: CMS für Motorrad Werkstätten <= 1.0.0 - Authenticated (Subscriber+) SQL Injection via 'arttype' Parameter | tholstkabelbwde | Plugin: CMS für Motorrad Werkstätten | Medium | 6.5 | 2026-04-21 02:25:41 | Deep Dive |
| CVE-2026-6675 | Responsive Blocks <= 2.2.0 - Unauthenticated Open Email Relay via REST API 'email_to' Parameter | cyberchimps | Responsive Blocks – Page Builder for Blocks & Patterns | Medium | 5.3 | 2026-04-21 02:25:40 | Deep Dive |
| CVE-2026-40497 | FreeScout Vulnerable to CSS Injection via Stored Style Tag in Mailbox Signature (CSRF Token Exfiltration) | freescout-help-desk | freescout | High | 8.1 | 2026-04-21 01:45:55 | Deep Dive |
| CVE-2026-6058 | Zyxel WRE6505 安全漏洞 | Zyxel | WRE6505 v2 firmware | Medium | 4.5 | 2026-04-21 01:42:07 | Deep Dive |
| CVE-2026-40496 | FreeScout has Predictable Attachment Token that Allows Unauthenticated Private File Download via Brute Force | freescout-help-desk | freescout | - | - | 2026-04-21 01:38:50 | Deep Dive |
| CVE-2026-39973 | Apktool: Path Traversal to Arbitrary File Write | iBotPeaches | Apktool | High | 7.1 | 2026-04-21 01:35:22 | Deep Dive |
| CVE-2026-40250 | OpenEXR has integer overflow in DWA decoder outBufferEnd pointer arithmetic (missed variant of CVE-2026-34589) | AcademySoftwareFoundation | openexr | - | - | 2026-04-21 01:33:00 | Deep Dive |
| CVE-2026-40244 | OpenEXR has integer overflow in DWA setupChannelData planarUncRle pointer arithmetic (missed variant of CVE-2026-34589) | AcademySoftwareFoundation | openexr | - | - | 2026-04-21 01:30:55 | Deep Dive |
| CVE-2026-39886 | OpenEXR has HTJ2K Signed Integer Overflow in ht_undo_impl() | AcademySoftwareFoundation | openexr | Medium | 5.3 | 2026-04-21 01:27:01 | Deep Dive |
| CVE-2026-39866 | Lawnchair vulnerable to Command Injection via unquoted workflow dispatch input in release_update.yml | LawnchairLauncher | lawnchair | - | - | 2026-04-21 01:19:48 | Deep Dive |
| CVE-2026-39861 | Claude Code: Sandbox Escape via Symlink Following Allows Arbitrary File Write Outside Workspace | anthropics | claude-code | - | - | 2026-04-21 00:56:39 | Deep Dive |
| CVE-2026-39386 | Neko has Self-service Privilege Escalation for Authenticated Users | m1k1o | neko | High | 8.8 | 2026-04-21 00:50:35 | Deep Dive |
| CVE-2026-40264 | OpenBao's Token Store Allows Cross-Namespace Renewal, Revocation | openbao | openbao | - | - | 2026-04-21 00:47:38 | Deep Dive |
| CVE-2026-39396 | OpenBao has Decompression Bomb via Unbounded Copy in OCI Plugin Extraction (DoS) | openbao | openbao | Low | 3.1 | 2026-04-21 00:44:54 | Deep Dive |
| CVE-2026-39388 | OpenBao's Certificate Authentication Allows Token Renewal With Different Certificate | openbao | openbao | - | - | 2026-04-21 00:43:23 | Deep Dive |
| CVE-2026-39946 | OpenBao allows SQL Injection in PostgreSQL database secrets engine | openbao | openbao | 中危 | - | 2026-04-21 00:19:40 | Deep Dive |
| CVE-2026-39378 | nbconvert has an Arbitrary File Read via Path Traversal in HTMLExporter Image Embedding | jupyter | nbconvert | Medium | 6.5 | 2026-04-21 00:17:01 | Deep Dive |
| CVE-2026-39377 | nbconvert has an Arbitrary File Write via Path Traversal in Cell Attachment Filenames | jupyter | nbconvert | Medium | 6.5 | 2026-04-21 00:15:00 | Deep Dive |