| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-32690 | Apache Airflow: 3.x - Nested Variable Secret Values Bypass Redaction via max_depth=1 | Apache Software Foundation | Apache Airflow | - | - | 2026-04-18 06:22:26 | Deep Dive |
| CVE-2026-30898 | Apache Airflow: Bad example of BashOperator shell injection via dag_run.conf | Apache Software Foundation | Apache Airflow | - | - | 2026-04-18 06:20:49 | Deep Dive |
| CVE-2026-30912 | Apache Airflow: Exposing stack trace in case of constraint error | Apache Software Foundation | Apache Airflow | - | - | 2026-04-18 06:20:30 | Deep Dive |
| CVE-2026-25917 | Apache Airflow: API extra-links triggers XCom deserialization/class instantiation (Airflow 3.1.5) | Apache Software Foundation | Apache Airflow | - | - | 2026-04-18 06:20:11 | Deep Dive |
| CVE-2026-32228 | Apache Airflow: Users with asset materialization permisssions could trigger Dags they had no access to | Apache Software Foundation | Apache Airflow | - | - | 2026-04-18 06:19:48 | Deep Dive |
| CVE-2026-41253 | iTerm2 安全漏洞 | iTerm2 | iTerm2 | Medium | 6.9 | 2026-04-18 05:27:08 | Deep Dive |
| CVE-2026-6048 | Flipbox Addon for Elementor <= 2.1.1 - Authenticated (Author+) Stored Cross-Site Scripting via Custom Attributes | dragwyb | Flipbox Addon for Elementor | Medium | 6.4 | 2026-04-18 03:37:06 | Deep Dive |
| CVE-2026-6518 | CMP – Coming Soon & Maintenance Plugin by NiteoThemes <= 4.1.16 - Missing Authorization to Authenticated (Administrator+) Arbitrary File Upload and Remote Code Execution | niteo | CMP – Coming Soon & Maintenance Plugin by NiteoThemes | High | 8.8 | 2026-04-18 03:37:05 | Deep Dive |
| CVE-2026-4801 | Page Builder Gutenberg Blocks <= 3.1.16 - Authenticated (Contributor+) Stored Cross-Site Scripting via External iCal Feed Data | godaddy | Page Builder Gutenberg Blocks – CoBlocks | Medium | 6.4 | 2026-04-18 03:37:04 | Deep Dive |
| CVE-2026-40494 | SAIL has heap buffer overflow in TGA RLE decoder — raw packet path missing bounds check | HappySeaFox | sail | Critical | 9.8 | 2026-04-18 01:42:49 | Deep Dive |
| CVE-2026-40493 | SAIL has heap buffer overflow in PSD decoder — bpp mismatch in LAB 16-bit mode | HappySeaFox | sail | Critical | 9.8 | 2026-04-18 01:41:15 | Deep Dive |
| CVE-2026-40492 | SAIL has heap buffer overflow in XWD decoder — bits_per_pixel vs pixmap_depth type confusion in byte-swap | HappySeaFox | sail | Critical | 9.8 | 2026-04-18 01:39:48 | Deep Dive |
| CVE-2026-40491 | gdown Affected by Arbitrary File Write via Path Traversal in gdown.extractall | wkentaro | gdown | Medium | 6.5 | 2026-04-18 01:36:48 | Deep Dive |
| CVE-2026-40490 | AsyncHttpClient leaks authorization credentials to untrusted domains on cross-origin redirects | AsyncHttpClient | async-http-client | Medium | 6.8 | 2026-04-18 01:31:14 | Deep Dive |
| CVE-2026-1559 | Youzify <= 1.3.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'checkin_place_id' Parameter | youzify | Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress | Medium | 6.4 | 2026-04-18 01:26:05 | Deep Dive |
| CVE-2026-1838 | Hostel <= 1.1.6 - Reflected Cross-Site Scripting via 'shortcode_id' Parameter | prasunsen | Hostel | Medium | 6.1 | 2026-04-18 01:26:05 | Deep Dive |
| CVE-2026-40489 | editorconfig-core-c has incomplete fix for CVE-2023-0341 | editorconfig | editorconfig-core-c | - | - | 2026-04-18 01:24:57 | Deep Dive |
| CVE-2026-40487 | Postiz Has Unrestricted File Upload via MIME Type Spoofing that Leads to Stored XSS | gitroomhq | postiz-app | High | 8.9 | 2026-04-18 01:19:07 | Deep Dive |
| CVE-2026-35582 | Emissary has an OS Command Injection via Unvalidated IN_FILE_ENDING / OUT_FILE_ENDING in Executrix | NationalSecurityAgency | emissary | High | 8.8 | 2026-04-18 01:16:28 | Deep Dive |
| CVE-2026-35465 | SecureDrop Client has path injection in read_gzip_header_filename() | freedomofpress | securedrop-client | High | 7.5 | 2026-04-18 00:41:17 | Deep Dive |