CVE-2021-41646 - Remote Code Execution (RCE) vulnerability exists in Sourcecodester Online Reviewer System 1.0 by uploading a maliciously crafted PHP file that bypasses the image upload filters..
Published: October 29, 2021; 2:15:08 PM -0400

V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH

CVE-2023-2596 - A vulnerability was found in SourceCodester Online Reviewer System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /reviewer/system/system/admins/manage/users/user-update.php of the component GET Pa... read CVE-2023-2596
Published: May 09, 2023; 9:15:18 AM -0400

V3.1: 9.8 CRITICAL

CVE-2021-27130 - Online Reviewer System 1.0 contains a SQL injection vulnerability through authentication bypass, which may lead to a reverse shell upload.
Published: April 14, 2021; 11:15:13 AM -0400

V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH

CVE-2026-4400 - Insecure Direct Object Reference (IDOR) vulnerability in 1millionbot Millie chat that allows private conversations of other users being viewed by simply changing the conversation ID. The vulnerability is present in the endpoint 'api.1millionbot.co... read CVE-2026-4400
Published: March 31, 2026; 7:16:14 AM -0400

V3.1: 6.5 MEDIUM

CVE-2026-4788 - IBM Tivoli Netcool Impact 7.1.0.0 through 7.1.0.37 stores sensitive information in log files that could be read by a local user.
Published: April 07, 2026; 9:16:41 PM -0400

V3.1: 5.5 MEDIUM

CVE-2026-3357 - IBM Langflow Desktop 1.6.0 through 1.8.2 Langflow could allow an authenticated user to execute arbitrary code on the system, caused by an insecure default setting which permits the deserialization of untrusted data in the FAISS component.
Published: April 07, 2026; 9:16:41 PM -0400

V3.1: 8.8 HIGH

CVE-2026-28553 - Vulnerability of improper permission control in the theme setting module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.
Published: April 13, 2026; 12:16:03 AM -0400

V3.1: 7.5 HIGH

CVE-2026-23818 - A vulnerability has been identified in the graphical user interface (GUI) of HPE Aruba Networking Private 5G Core On-Prem that could allow an attacker to abuse an open redirect vulnerability in the login flow using a crafted URL. Successful exploi... read CVE-2026-23818
Published: April 07, 2026; 9:16:45 AM -0400

V3.1: 9.6 CRITICAL

CVE-2025-67260 - The Terrapack software, from ASTER TEC / ASTER S.p.A., with the indicated components and versions has a file upload vulnerability that may allow attackers to execute arbitrary code. Vulnerable components include Terrapack TkWebCoreNG:: 1.0.2020091... read CVE-2025-67260
Published: March 20, 2026; 12:16:16 PM -0400

CVE-2024-44722 - SysAK v2.0 and before is vulnerable to command execution via aaa;cat /etc/passwd.
Published: March 20, 2026; 10:16:13 AM -0400

CVE-2026-25667 - ASP.NET Core Kestrel in Microsoft .NET 8.0 before 8.0.22 and .NET 9.0 before 9.0.11 allows a remote attacker to cause excessive CPU consumption by sending a crafted QUIC packet, because of an incorrect exit condition for HTTP/3 Encoder/Decoder str... read CVE-2026-25667
Published: March 19, 2026; 3:16:19 PM -0400

CVE-2026-40386 - In libexif through 0.6.25, an integer underflow in size checking for Fuji and Olympus MakerNote decoding could be used by attackers to crash or leak information out of libexif-using programs.
Published: April 12, 2026; 3:16:20 PM -0400

V3.1: 7.1 HIGH

CVE-2026-34940 - KubeAI is an AI inference operator for kubernetes. Prior to 0.23.2, the ollamaStartupProbeScript() function in internal/modelcontroller/engine_ollama.go constructs a shell command string using fmt.Sprintf with unsanitized model URL components (ref... read CVE-2026-34940
Published: April 06, 2026; 12:16:37 PM -0400

V3.1: 8.8 HIGH

CVE-2026-34951 - Workbench is a suite of tools for administrators and developers to interact with Salesforce.com organizations via the Force.com APIs. Prior to 65.0.0, Workbench contains a reflected cross-site scripting vulnerability via the footerScripts paramete... read CVE-2026-34951
Published: April 06, 2026; 12:16:38 PM -0400

CVE-2026-34783 - Ferret is a declarative system for working with web data. Prior to 2.0.0-alpha.4, a path traversal vulnerability in Ferret's IO::FS::WRITE standard library function allows a malicious website to write arbitrary files to the filesystem of the machi... read CVE-2026-34783
Published: April 06, 2026; 1:17:10 PM -0400

CVE-2026-39361 - OpenObserve is a cloud-native observability platform. In 0.70.3 and earlier, the validate_enrichment_url function in src/handler/http/request/enrichment_table/mod.rs fails to block IPv6 addresses because Rust's url crate returns them with surround... read CVE-2026-39361
Published: April 07, 2026; 4:16:29 PM -0400

CVE-2026-35516 - LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, LinkRepository::update and CheckLinksCommand::checkLink do not check for private IPs. An authenticated user can read responses from internal services (AWS IMDSv1, cloud met... read CVE-2026-35516
Published: April 07, 2026; 12:16:27 PM -0400

CVE-2026-35490 - changedetection.io is a free open source web page change detection tool. Prior to 0.54.8, the @login_optionally_required decorator is placed before (outer to) @blueprint.route() instead of after it. In Flask, @route() must be the outermost decorat... read CVE-2026-35490
Published: April 07, 2026; 12:16:27 PM -0400

CVE-2026-35458 - Gotenberg is an API for converting document formats. In 8.29.1 and earlier, Gotenberg uses dlclark/regexp2 to compile user-supplied scope patterns without setting a proper timeout. Users with access to features using this logic can hang workers in... read CVE-2026-35458
Published: April 07, 2026; 11:17:43 AM -0400

CVE-2026-5440 - A memory exhaustion vulnerability exists in the HTTP server due to unbounded use of the `Content-Length` header. The server allocates memory directly based on the attacker supplied header value without enforcing an upper limit. A crafted HTTP req... read CVE-2026-5440
Published: April 09, 2026; 11:16:16 AM -0400