| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-41170 | Squidex has SSRF via Backup Restore Endpoint — Admin-Controlled URL Download Allows Internal and External Requests | Squidex | squidex | - | - | 2026-04-22 21:13:19 | Deep Dive |
| CVE-2026-41455 | WeKan < 8.35 SSRF via Webhook URL | wekan | wekan | High | 8.5 | 2026-04-22 21:09:30 | Deep Dive |
| CVE-2026-41454 | WeKan < 8.35 Missing Authorization via Integration REST API | wekan | wekan | High | 8.3 | 2026-04-22 21:08:39 | Deep Dive |
| CVE-2026-41314 | pypdf: Manipulated FlateDecode image dimensions can exhaust RAM | py-pdf | pypdf | - | - | 2026-04-22 21:08:15 | Deep Dive |
| CVE-2026-41313 | pypdf: Possible long runtimes for wrong size values in incremental mode | py-pdf | pypdf | - | - | 2026-04-22 21:05:00 | Deep Dive |
| CVE-2026-41312 | pypdf: Manipulated FlateDecode predictor parameters can exhaust RAM | py-pdf | pypdf | - | - | 2026-04-22 21:02:53 | Deep Dive |
| CVE-2026-41168 | pypdf has possible long runtimes for wrong size values in cross-reference and object streams | py-pdf | pypdf | - | - | 2026-04-22 20:49:10 | Deep Dive |
| CVE-2026-41167 | Jellystat has SQL Injection that leads to to Remote Code Execution | CyferShepard | Jellystat | Critical | 9.1 | 2026-04-22 20:39:31 | Deep Dive |
| CVE-2026-40882 | OpenRemote has XXE in Velbus Asset Import | openremote | openremote | High | 7.6 | 2026-04-22 20:33:23 | Deep Dive |
| CVE-2026-41166 | OpenRemote has Improper Access Control via updateUserRealmRoles function | openremote | openremote | High | 7.0 | 2026-04-22 20:31:29 | Deep Dive |
| CVE-2026-41134 | Kiota: Code Generation Literal Injection | microsoft | kiota | - | - | 2026-04-22 20:20:58 | Deep Dive |
| CVE-2026-40937 | RustFS missing admin authorization on notification target endpoints, which allows unauthenticated configuration of event webhooks | rustfs | rustfs | High | 8.3 | 2026-04-22 20:15:57 | Deep Dive |
| CVE-2026-33733 | EspoCRM has Admin TemplateManager path traversal that allows arbitrary file read write and delete | espocrm | espocrm | High | 7.2 | 2026-04-22 20:05:24 | Deep Dive |
| CVE-2026-33656 | EspoCRM vulnerable to authenticated RCE via Formula with path traversal in attachment `sourceId`, exploitable by admin user | espocrm | espocrm | Critical | 9.1 | 2026-04-22 20:01:24 | Deep Dive |
| CVE-2026-34068 | nimiq-transaction: UpdateValidator transactions allows voting key change without proof-of-knowledge | nimiq | nimiq-transaction | Medium | 6.8 | 2026-04-22 19:55:08 | Deep Dive |
| CVE-2026-3837 | Frappe Framework 16.10.0 - Stored DOM XSS in Multiple Field Formatters | Frappe | Frappe | - | - | 2026-04-22 19:52:56 | Deep Dive |
| CVE-2026-34067 | nimiq-transaction vulnerable to panic via `HistoryTreeProof` length mismatch | nimiq | nimiq-transaction | Low | 3.1 | 2026-04-22 19:52:44 | Deep Dive |
| CVE-2026-34066 | nimiq-blockchain: Peer-triggerable panic during history sync | nimiq | nimiq-blockchain | Medium | 5.3 | 2026-04-22 19:47:49 | Deep Dive |
| CVE-2026-34065 | nimiq-primitives: Node crash due to missing interlink validation in election macro block proposals | nimiq | nimiq-primitives | High | 7.5 | 2026-04-22 19:45:01 | Deep Dive |
| CVE-2026-34064 | nimiq-account: Vesting insufficient funds error can panic | nimiq | nimiq-account | Medium | 5.3 | 2026-04-22 19:43:04 | Deep Dive |