| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-40572 | NovumOS has Arbitrary Memory Mapping via Syscall 15 (MemoryMapRange) | MinecAnton209 | NovumOS | Critical | 9.0 | 2026-04-18 00:16:03 | Deep Dive |
| CVE-2026-40317 | NovumOS has Privilege Escalation in the Syscall Interface | MinecAnton209 | NovumOS | Critical | 9.3 | 2026-04-18 00:12:10 | Deep Dive |
| CVE-2026-40350 | Movary User Management (/settings/users) has Authorization Bypass that Allows Low-Privileged Users to Enumerate All Users and Create Administrator Accounts | leepeuker | movary | High | 8.8 | 2026-04-18 00:07:33 | Deep Dive |
| CVE-2026-40349 | Authenticated Movary User Can Self-Escalate to Administrator via PUT /settings/users/{userId} by Setting isAdmin=true | leepeuker | movary | High | 8.8 | 2026-04-18 00:05:46 | Deep Dive |
| CVE-2026-40593 | ChurchCRM: Stored XSS in UserEditor.php via Login Name Field | ChurchCRM | CRM | Medium | 4.8 | 2026-04-18 00:03:00 | Deep Dive |
| CVE-2026-40348 | Movary has Authenticated SSRF via Jellyfin Server URL Verification that Allows Internal Network Probing | leepeuker | movary | High | 7.7 | 2026-04-18 00:01:10 | Deep Dive |
| CVE-2026-40347 | Python-Multipart affected by Denial of Service via large multipart preamble or epilogue data | Kludex | python-multipart | Medium | 5.3 | 2026-04-17 23:56:51 | Deep Dive |
| CVE-2026-40346 | NocoBase has SSRF in Workflow HTTP Request and Custom Request Plugins | nocobase | @nocobase/plugin-workflow-request | - | - | 2026-04-17 23:54:35 | Deep Dive |
| CVE-2026-40581 | ChurchCRM: Cross-Site Request Forgery (CSRF) in SelectDelete.php Leading to Permanent Data Deletion | ChurchCRM | CRM | High | 8.1 | 2026-04-17 23:51:33 | Deep Dive |
| CVE-2026-40337 | Sentry kernel has incomplete ownership check for IRQ line manipulation | camelot-os | sentry-kernel | Medium | 5.1 | 2026-04-17 23:51:10 | Deep Dive |
| CVE-2026-40341 | libgphoto2 has an OOB Read in ptp_unpack_EOS_FocusInfoEx | gphoto | libgphoto2 | Low | 3.5 | 2026-04-17 23:48:37 | Deep Dive |
| CVE-2026-40340 | libgphoto2 has OOB read in ptp_unpack_OI() in ptp-pack.c via malicious PTP ObjectInfo response | gphoto | libgphoto2 | Medium | 6.1 | 2026-04-17 23:45:17 | Deep Dive |
| CVE-2026-40339 | libgphoto2 has OOB read in ptp_unpack_Sony_DPD() FormFlag parsing in ptp-pack.c | gphoto | libgphoto2 | Medium | 5.2 | 2026-04-17 23:42:33 | Deep Dive |
| CVE-2026-40338 | libgphoto2 has OOB read in ptp_unpack_Sony_DPD() enumeration count parsing in ptp-pack.c | gphoto | libgphoto2 | Medium | 5.2 | 2026-04-17 23:40:10 | Deep Dive |
| CVE-2026-40485 | ChurchCRM: Username Enumeration via Differential Response in Public Login API | ChurchCRM | CRM | Medium | 5.3 | 2026-04-17 23:29:36 | Deep Dive |
| CVE-2026-40336 | libgphoto2 has memory leak in ptp_unpack_Sony_DPD() secondary enumeration list in ptp-pack.c | gphoto | libgphoto2 | Low | 2.4 | 2026-04-17 23:27:43 | Deep Dive |
| CVE-2026-2262 | Easy Appointments <= 3.12.21 - Unauthenticated Sensitive Information Exposure via REST API | easyappointments | Easy Appointments | High | 7.5 | 2026-04-17 23:26:49 | Deep Dive |
| CVE-2026-40484 | ChurchCRM: Authenticated Remote Code Execution via Unrestricted PHP File Write in Database Restore Function | ChurchCRM | CRM | Critical | 9.1 | 2026-04-17 23:25:06 | Deep Dive |
| CVE-2026-40483 | ChurchCRM: Stored XSS in PledgeEditor.php via Donation Comment Field | ChurchCRM | CRM | Medium | 5.4 | 2026-04-17 23:20:45 | Deep Dive |
| CVE-2026-40335 | libgphoto2 has OOB read in ptp_unpack_DPV() UINT128/INT128 handling in ptp-pack.c | gphoto | libgphoto2 | Medium | 5.2 | 2026-04-17 23:19:17 | Deep Dive |