| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-29013 | libcoap Out-of-Bounds Read in OSCORE CBOR Unwrap Handling | libcoap | libcoap | - | - | 2026-04-17 21:11:38 | Deep Dive |
| CVE-2026-40321 | DotNetNuke.Core has stored cross-site-scripting (XSS) via SVG upload | dnnsoftware | Dnn.Platform | High | 8.0 | 2026-04-17 21:10:33 | Deep Dive |
| CVE-2026-40352 | FastGPT: NoSQL Injection in updatePasswordByOld Leads to Account Takeover | labring | FastGPT | High | 8.8 | 2026-04-17 21:09:33 | Deep Dive |
| CVE-2026-40306 | DNN has same HostGUID for all new installs | dnnsoftware | Dnn.Platform | - | - | 2026-04-17 21:09:30 | Deep Dive |
| CVE-2026-40305 | DNN has Force Friend Request Acceptance | dnnsoftware | Dnn.Platform | Medium | 4.3 | 2026-04-17 21:06:09 | Deep Dive |
| CVE-2026-40351 | FastGPT: NoSQL Injection in loginByPassword leads to Authentication Bypass | labring | FastGPT | Critical | 9.8 | 2026-04-17 21:05:06 | Deep Dive |
| CVE-2026-40304 | zrok's broken ownership check in DELETE /api/v2/unaccess allows non-admin to delete global frontend records | openziti | zrok | Medium | 5.3 | 2026-04-17 21:04:24 | Deep Dive |
| CVE-2026-40303 | zrok allows unauthenticated DoS via unbounded memory allocation in striped session cookie parsing | openziti | zrok | High | 7.5 | 2026-04-17 21:01:52 | Deep Dive |
| CVE-2026-40196 | HomeBox has Unauthorized API Access via Retained defaultGroup ID After Group Access Revocation | sysadminsmedia | homebox | High | 8.1 | 2026-04-17 21:01:19 | Deep Dive |
| CVE-2026-40302 | zrok has reflected XSS in GitHub OAuth callback via unsanitized refreshInterval error rendering | openziti | zrok | Medium | 6.1 | 2026-04-17 20:56:08 | Deep Dive |
| CVE-2026-40155 | Auth0 Next.js SDK has Improper Proxy Cache Lookup | auth0 | nextjs-auth0 | Medium | 5.4 | 2026-04-17 20:54:39 | Deep Dive |
| CVE-2026-40301 | rhukster/dom-sanitizer: SVG <style> tag allows CSS injection via unfiltered url() and @import directives | rhukster | dom-sanitizer | Medium | 4.7 | 2026-04-17 20:51:37 | Deep Dive |
| CVE-2026-40299 | next-intl has an open redirect vulnerability | amannn | next-intl | - | - | 2026-04-17 20:49:06 | Deep Dive |
| CVE-2026-40293 | OpenFGA Playground Preshared Key Exposure | openfga | openfga | Medium | 6.5 | 2026-04-17 20:47:07 | Deep Dive |
| CVE-2026-35603 | Claude Code: Insecure System-Wide Configuration Loading Enables Local Privilege Escalation on Windows | anthropics | claude-code | - | - | 2026-04-17 20:38:50 | Deep Dive |
| CVE-2026-35402 | mcp-neo4j-cypher: SSRF and Data Modification via read_only Mode Bypass Through CALL Procedures | neo4j-contrib | mcp-neo4j | - | - | 2026-04-17 20:34:07 | Deep Dive |
| CVE-2026-33436 | Stirling-PDF: Reflected XSS through crafted filename in file upload functionality | Stirling-Tools | Stirling-PDF | Low | 3.1 | 2026-04-17 20:29:43 | Deep Dive |
| CVE-2026-40286 | WeGIA has Cross-Site Scripting in Controle de Contribuição | LabRedesCefetRJ | WeGIA | High | 7.5 | 2026-04-17 20:27:59 | Deep Dive |
| CVE-2026-23500 | Dolibarr: OS Command Injection (RCE) via MAIN_ODT_AS_PDF configuration | Dolibarr | dolibarr | - | - | 2026-04-17 20:25:50 | Deep Dive |
| CVE-2026-40285 | WeGIA has SQL Injection via Session Variable Override in DespachoControle.php | LabRedesCefetRJ | WeGIA | High | 8.8 | 2026-04-17 20:25:33 | Deep Dive |