Common Vulnerabilities and Exposures (CVE)

CVE-2026-0988

Apr 24, 2026 20:38:24 UTC

A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow ...

CVE-2026-41476

Apr 24, 2026 20:15:40 UTC

Deskflow is a keyboard and mouse sharing app. Prior to 1.26.0.138, a remote memory-safety vulnerability in Deskflow's clipboard deserialization allows a connected peer to trigger an out-of-bounds read by sending a malformed clipboard updat...

CVE-2026-6966

Apr 24, 2026 20:15:28 UTC

Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users to bypass the TUF signature threshold requirement by duplicating a valid signat...

CVE-2026-6967

Apr 24, 2026 20:13:20 UTC

Missing expiration, hash, and length enforcement in delegated metadata validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users with delegated signing authority to bypass TUF specification integrity checks for dele...

CVE-2026-6968

Apr 24, 2026 20:10:00 UTC

Incomplete path traversal fixes in awslabs/tough before tough-v0.22.0 allow remote authenticated users with delegated signing authority to write files outside intended output directories via absolute target names in copy_target/link_target,...

CVE-2026-41428

Apr 24, 2026 20:00:50 UTC

Budibase is an open-source low-code platform. Prior to 3.35.4, the authenticated middleware uses unanchored regular expressions to match public (no-auth) endpoint patterns against ctx.request.url. Since ctx.request.url in Koa includes the q...

CVE-2026-41244

Apr 24, 2026 19:59:59 UTC

Mojic is a CLI tool to transform readable C code into an unrecognizable chaotic stream of emojis. Prior to 2.1.4, the CipherEngine uses a standard equality operator (!==) to verify the HMAC-SHA256 integrity seal during the decryption phase....

CVE-2026-41418

Apr 24, 2026 19:59:10 UTC

4ga Boards is a boards system for realtime project management. Prior to 3.3.5, 4ga Boards is vulnerable to user enumeration via a timing side-channel in the login endpoint (POST /api/access-tokens). When an invalid username/email is provide...

CVE-2026-41415

Apr 24, 2026 19:58:40 UTC

PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is an out-of-bounds read when parsing a malformed Content-ID URI in SIP multipart message body. Insufficient length validation can cau...

CVE-2026-41328

Apr 24, 2026 19:57:59 UTC

Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph's default c...

CVE-2026-41477

Apr 24, 2026 19:50:21 UTC

Deskflow is a keyboard and mouse sharing app. In 1.20.0, 1.26.0.134, and earlier, Deskflow daemon runs as SYSTEM and exposes an IPC named pipe with WorldAccessOption enabled. The daemon processes privileged commands without authentication,...

CVE-2026-41503

Apr 24, 2026 19:41:44 UTC

BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.4.3, an out-of-bounds read vulnerability in bacnet-stack's ReadPropertyMultiple service property decoder allows unauthenticated remote attackers ...

CVE-2026-41502

Apr 24, 2026 19:40:43 UTC

BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.4.3, an off-by-one out-of-bounds read vulnerability in bacnet-stack's ReadPropertyMultiple service decoder allows unauthenticated remote attacker...

CVE-2026-41475

Apr 24, 2026 19:39:52 UTC

BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.4.3, an out-of-bounds read vulnerability in bacnet-stack's WritePropertyMultiple service decoder allows unauthenticated remote attackers to read ...

CVE-2026-41459

Apr 24, 2026 19:31:14 UTC

Xerte Online Toolkits versions 3.15 and earlier contain an information disclosure vulnerability that allows unauthenticated attackers to retrieve the full server-side filesystem path of the application root. Attackers can send a GET request...