| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-40483 | ChurchCRM: Stored XSS in PledgeEditor.php via Donation Comment Field | ChurchCRM | CRM | Medium | 5.4 | 2026-04-17 23:20:45 | Deep Dive |
| CVE-2026-40335 | libgphoto2 has OOB read in ptp_unpack_DPV() UINT128/INT128 handling in ptp-pack.c | gphoto | libgphoto2 | Medium | 5.2 | 2026-04-17 23:19:17 | Deep Dive |
| CVE-2026-40334 | libgphoto2 missing null termination in ptp_unpack_Canon_FE() filename buffer in ptp-pack.c | gphoto | libgphoto2 | Low | 3.5 | 2026-04-17 23:16:39 | Deep Dive |
| CVE-2026-40582 | ChurchCRM: Authentication Bypass in `/api/public/user/login` Allows Bypass of 2FA and Account Lockout | ChurchCRM | CRM | - | - | 2026-04-17 23:16:14 | Deep Dive |
| CVE-2026-40333 | libgphoto2 has OOB read in ptp_unpack_EOS_ImageFormat() and ptp_unpack_EOS_CustomFuncEx() due to missing length parameter in ptp-pack.c | gphoto | libgphoto2 | Medium | 6.1 | 2026-04-17 23:11:11 | Deep Dive |
| CVE-2026-40480 | ChurchCRM has Missing Object-Level Authorization / IDOR in `/api/person/{personId}` | ChurchCRM | CRM | - | - | 2026-04-17 23:07:30 | Deep Dive |
| CVE-2026-40324 | Hot Chocolate's Utf8GraphQLParser has Stack Overflow via Deeply Nested GraphQL Documents | ChilliCream | graphql-platform | Critical | 9.1 | 2026-04-17 23:05:26 | Deep Dive |
| CVE-2026-40482 | ChurchCRM has Authenticated SQL Injection in `/api/families/byCheckNumber/{scanString}` | ChurchCRM | CRM | - | - | 2026-04-17 22:58:49 | Deep Dive |
| CVE-2026-40323 | SP1 V6 Recursion Circuit Row-Count Binding Gap | succinctlabs | sp1 | - | - | 2026-04-17 22:58:43 | Deep Dive |
| CVE-2026-40481 | monetr: Unauthenticated Stripe webhook reads attacker-sized request bodies before signature validation | monetr | monetr | - | - | 2026-04-17 22:54:58 | Deep Dive |
| CVE-2026-40486 | Kimai's User Preferences API allows standard users to modify restricted attributes: hourly_rate, internal_rate | kimai | kimai | Medium | 4.3 | 2026-04-17 22:35:54 | Deep Dive |
| CVE-2026-40479 | Kimai: Stored XSS via Incomplete HTML Attribute Escaping in Team Member Widget | kimai | kimai | Medium | 5.4 | 2026-04-17 22:31:30 | Deep Dive |
| CVE-2026-2434 | Pz-LinkCard <= 2.5.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes | poporon | Pz-LinkCard | Medium | 6.4 | 2026-04-17 22:27:14 | Deep Dive |
| CVE-2026-40478 | Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf | thymeleaf | thymeleaf | Critical | 9.0 | 2026-04-17 21:57:02 | Deep Dive |
| CVE-2026-40477 | Improper restriction of the scope of accessible objects in Thymeleaf expressions | thymeleaf | thymeleaf | Critical | 9.0 | 2026-04-17 21:53:47 | Deep Dive |
| CVE-2026-40476 | graphql-php: Denial of Service via quadratic complexity in OverlappingFieldsCanBeMerged validation | webonyx | graphql-php | - | - | 2026-04-17 21:43:00 | Deep Dive |
| CVE-2026-5720 | miniupnpd Integer Underflow SOAPAction Header Parsing | miniupnp project | miniupnpd | - | - | 2026-04-17 21:39:55 | Deep Dive |
| CVE-2026-40474 | wger has Broken Access Control in the Global Gym Configuration Update Endpoint | wger-project | wger | High | 7.6 | 2026-04-17 21:39:04 | Deep Dive |
| CVE-2026-40353 | wger: Stored XSS via Unescaped License Attribution Fields | wger-project | wger | - | - | 2026-04-17 21:16:12 | Deep Dive |
| CVE-2026-40258 | Gramps Web API has Zip Slip Path Traversal in Media Archive Import | gramps-project | gramps-web-api | Critical | 9.1 | 2026-04-17 21:12:54 | Deep Dive |