CVE ID :CVE-2026-41242 Published : April 18, 2026, 5:16 p.m. | 7 hours, 25 minutes ago Description :protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can…
CVE-2026-6518 – CMP – Coming Soon & Maintenance Plugin by NiteoThemes <= 4.1.16 – Missing Authorization to Authenticated (Administrator+) Arbitrary File Upload and Remote Code Execution
CVE ID :CVE-2026-6518 Published : April 18, 2026, 5:16 a.m. | 19 hours, 25 minutes ago Description :The CMP – Coming Soon & Maintenance Plugin by NiteoThemes plugin for WordPress is vulnerable to arbitrary…
CVE-2026-40494 – SAIL has heap buffer overflow in TGA RLE decoder — raw packet path missing bounds check
CVE ID :CVE-2026-40494 Published : April 18, 2026, 3:16 a.m. | 21 hours, 25 minutes ago Description :SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC…
CVE-2026-40493 – SAIL has heap buffer overflow in PSD decoder — bpp mismatch in LAB 16-bit mode
CVE ID :CVE-2026-40493 Published : April 18, 2026, 3:16 a.m. | 21 hours, 25 minutes ago Description :SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC…
CVE-2026-40492 – SAIL has heap buffer overflow in XWD decoder — bits_per_pixel vs pixmap_depth type confusion in byte-swap
CVE ID :CVE-2026-40492 Published : April 18, 2026, 3:16 a.m. | 21 hours, 25 minutes ago Description :SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC…
CVE-2026-40582 – ChurchCRM: Authentication Bypass in `/api/public/user/login` Allows Bypass of 2FA and Account Lockout
CVE ID :CVE-2026-40582 Published : April 18, 2026, 12:16 a.m. | 24 minutes ago Description :ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/user/login endpoint validates only the…
CVE-2026-40581 – ChurchCRM: Cross-Site Request Forgery (CSRF) in SelectDelete.php Leading to Permanent Data Deletion
CVE ID :CVE-2026-40581 Published : April 18, 2026, 12:16 a.m. | 24 minutes ago Description :ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the family record deletion endpoint (SelectDelete.php)…
CVE-2026-40484 – ChurchCRM: Authenticated Remote Code Execution via Unrestricted PHP File Write in Database Restore Function
CVE ID :CVE-2026-40484 Published : April 18, 2026, 12:16 a.m. | 24 minutes ago Description :ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the database backup restore functionality extracts…
CVE-2026-40349 – Authenticated Movary User Can Self-Escalate to Administrator via PUT /settings/users/{userId} by Setting isAdmin=true
CVE ID :CVE-2026-40349 Published : April 18, 2026, 12:16 a.m. | 24 minutes ago Description :Movary is a self hosted web app to track and rate a user’s watched movies. Prior to version…
CVE-2026-40324 – Hot Chocolate’s Utf8GraphQLParser has Stack Overflow via Deeply Nested GraphQL Documents
CVE ID :CVE-2026-40324 Published : April 18, 2026, 12:16 a.m. | 24 minutes ago Description :Hot Chocolate is an open-source GraphQL server. Prior to versions 12.22.7, 13.9.16, 14.3.1, and 15.1.14, Hot Chocolate’s recursive…