| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-5488 | ExactMetrics <= 9.1.2 - Authenticated (Subscriber+) Missing Authorization to Google Ads Access Token Retrieval via AJAX Action 'exactmetrics_ads_get_token' | smub | ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) | Medium | 5.3 | 2026-04-24 03:27:06 | Deep Dive |
| CVE-2026-41323 | Kyverno: ServiceAccount token leaked to external servers via apiCall service URL | kyverno | kyverno | High | 8.1 | 2026-04-24 03:21:36 | Deep Dive |
| CVE-2026-41068 | Kyverno: Cross-Namespace Read Bypasses RBAC Isolation (CVE-2026-22039 Incomplete Fix) | kyverno | kyverno | High | 7.7 | 2026-04-24 03:14:28 | Deep Dive |
| CVE-2026-41319 | MailKit has STARTTLS Response Injection via unflushed stream buffer that enables SASL mechanism downgrade | jstedfast | MailKit | Medium | 6.5 | 2026-04-24 03:07:24 | Deep Dive |
| CVE-2026-41318 | AnythingLLM vulnerable to stored DOM XSS in chart caption renderer - LLM-driven prompt injection produces executable HTML via unsanitized renderMarkdown(content.caption) in Chartable component | Mintplex-Labs | anything-llm | Medium | 5.4 | 2026-04-24 02:57:16 | Deep Dive |
| CVE-2026-41430 | Press vulnerable to reflected XSS on login redirection | frappe | press | - | - | 2026-04-24 02:42:30 | Deep Dive |
| CVE-2026-41317 | Frappe Press has an unsafe HTTP method / CSRF-adjacent issue on API secret generation | frappe | press | - | - | 2026-04-24 02:40:17 | Deep Dive |
| CVE-2026-41316 | ERB has an @_init deserialization guard bypass via def_module / def_method / def_class | ruby | erb | High | 8.1 | 2026-04-24 02:35:41 | Deep Dive |
| CVE-2026-41309 | Open Source Social Network (OSSN) Vulnerable to Resource Exhaustion via Malicious Image Processing | opensource-socialnetwork | opensource-socialnetwork | High | 8.2 | 2026-04-24 02:31:53 | Deep Dive |
| CVE-2026-41305 | PostCSS has XSS via Unescaped </style> in its CSS Stringify Output | postcss | postcss | Medium | 6.1 | 2026-04-24 02:27:48 | Deep Dive |
| CVE-2026-40254 | FreeRDP: contains_dotdot() off-by-one allows drive channel path traversal via terminal .. | FreeRDP | FreeRDP | Medium | 4.2 | 2026-04-24 02:24:51 | Deep Dive |
| CVE-2026-33317 | OP-TEE: PKCS#11 TA out-of-bounds read and memory disclosure | OP-TEE | optee_os | High | 8.7 | 2026-04-24 02:20:56 | Deep Dive |
| CVE-2026-33318 | Actual has Privilege Escalation via 'change-password' Endpoint on OpenID-Migrated Servers | actualbudget | actual | High | 8.8 | 2026-04-24 02:13:47 | Deep Dive |
| CVE-2026-33208 | Roxy-WI Vulnerable to Authenticated Remote Code Execution via OS Command Injection in find-in-config Endpoint | roxy-wi | roxy-wi | - | - | 2026-04-24 02:10:14 | Deep Dive |
| CVE-2026-33078 | Roxy-WI has SQL Injection in haproxy_section_save Endpoint via Unsanitized server_ip Parameter | roxy-wi | roxy-wi | - | - | 2026-04-24 02:05:03 | Deep Dive |
| CVE-2026-33077 | Roxy-WI has an arbitrary file read vulnerability | roxy-wi | roxy-wi | - | - | 2026-04-24 01:55:44 | Deep Dive |
| CVE-2026-33076 | Roxy-WI vulnerable to path traversal and arbitrary file writing | roxy-wi | roxy-wi | - | - | 2026-04-24 01:52:47 | Deep Dive |
| CVE-2026-32952 | go-ntlmssp NTLM challenges can panic on malformed payloads | Azure | go-ntlmssp | Medium | 5.3 | 2026-04-24 01:46:32 | Deep Dive |
| CVE-2026-41325 | Kirby is vulnerable to authorization bypass during page, file and user creation via blueprint injection | getkirby | kirby | - | - | 2026-04-24 00:38:50 | Deep Dive |
| CVE-2026-40099 | Kirby's page creation API bypasses the changeStatus permission check via unfiltered isDraft parameter | getkirby | kirby | - | - | 2026-04-24 00:34:02 | Deep Dive |