| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-41481 | LangChain: HTMLHeaderTextSplitter.split_text_from_url SSRF Redirect Bypass | langchain-ai | langchain-text-splitters | Medium | 6.5 | 2026-04-24 20:54:28 | Deep Dive |
| CVE-2026-41478 | Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId) | saltcorn | saltcorn | Critical | 9.9 | 2026-04-24 20:52:31 | Deep Dive |
| CVE-2026-41473 | CyberPanel < 2.4.4 Unauthenticated API Access via AI Scanner Endpoints | usmannasir | cyberpanel | - | - | 2026-04-24 20:40:36 | Deep Dive |
| CVE-2026-41472 | CyberPanel < 2.4.4 Stored XSS via AI Scanner Dashboard | usmannasir | cyberpanel | - | - | 2026-04-24 20:40:12 | Deep Dive |
| CVE-2026-41477 | Deskflow: Local privilege escalation via unauthenticated IPC | deskflow | deskflow | High | 7.8 | 2026-04-24 19:50:22 | Deep Dive |
| CVE-2026-41476 | Deskflow: clipboard deserialization global-buffer-overflow | deskflow | deskflow | - | - | 2026-04-24 19:47:45 | Deep Dive |
| CVE-2026-6968 | Multiple Path Traversal Variants in awslabs/tough | AWS | tough | Medium | 5.9 | 2026-04-24 19:44:45 | Deep Dive |
| CVE-2026-41503 | BACnet Stack: Out-of-Bounds Read in ReadPropertyMultiple Property Decoder via Deprecated Tag Parser | bacnet-stack | bacnet-stack | - | - | 2026-04-24 19:41:44 | Deep Dive |
| CVE-2026-6967 | Missing Delegated Metadata Validation in awslabs/tough | AWS | tough | Medium | 5.9 | 2026-04-24 19:41:43 | Deep Dive |
| CVE-2026-41502 | BACnet Stack: Off-by-One Out-of-Bounds Read in ReadPropertyMultiple Object ID Decoder | bacnet-stack | bacnet-stack | - | - | 2026-04-24 19:40:43 | Deep Dive |
| CVE-2026-41475 | BACnet Stack: Out-of-Bounds Read in WritePropertyMultiple Decoder via Deprecated Tag Parser | bacnet-stack | bacnet-stack | - | - | 2026-04-24 19:39:52 | Deep Dive |
| CVE-2026-6966 | Signature Threshold Bypass in awslabs/tough Delegated Roles | AWS | tough | Medium | 5.3 | 2026-04-24 19:38:25 | Deep Dive |
| CVE-2026-41433 | OpenTelemetry eBPF Instrumentation: Privileged Java agent injection allows arbitrary host file overwrite via untrusted TMPDIR | open-telemetry | opentelemetry-ebpf-instrumentation | High | 8.4 | 2026-04-24 19:26:20 | Deep Dive |
| CVE-2026-41427 | Better Auth OAuth 2.1 Provider: Unprivileged users can register OAuth clients | better-auth | better-auth | - | - | 2026-04-24 19:23:20 | Deep Dive |
| CVE-2026-41429 | Improper validation of NBNS name_len in arduino-esp32 NetBIOS leads to memory corruption | espressif | arduino-esp32 | High | 8.8 | 2026-04-24 19:19:50 | Deep Dive |
| CVE-2026-41428 | Budibase: Authentication Bypass via Unanchored Regex in Public Endpoint Matcher — Unauthenticated Access to Protected Endpoints | Budibase | budibase | Critical | 9.1 | 2026-04-24 19:17:30 | Deep Dive |
| CVE-2026-41426 | pretalx: Email injection via unescaped user-controlled placeholders in pretalx mail templates | pretalx | pretalx | Medium | 6.1 | 2026-04-24 19:15:39 | Deep Dive |
| CVE-2026-41425 | Authlib: Cross-site request forging when using cache | authlib | authlib | Medium | 5.4 | 2026-04-24 19:14:38 | Deep Dive |
| CVE-2026-41244 | Mojic: Observable Timing Discrepancy in HMAC Verification | notamitgamer | mojic | Medium | 4.7 | 2026-04-24 19:11:55 | Deep Dive |
| CVE-2026-41894 | SiYuan: Incomplete Fix Bypass for CVE-2026-30869: Path Traversal via Double URL Encoding in `/export/` Endpoint | siyuan-note | siyuan | - | - | 2026-04-24 18:56:54 | Deep Dive |