Common Vulnerabilities and Exposures (CVE)

CVE-2026-40104

Apr 15, 2026 00:01:58 UTC

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 1.8-rc-1, 17.0.0-rc-1 and 17.5.0-rc-1 and prior include a resource exhaustion vulnerability in REST API endpoints such as /xwi...

CVE-2026-39984

Apr 14, 2026 23:41:47 UTC

Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Versions 2.0.5 and below contain an authorization bypass vulnerability in the VerifyTimestampResponse function. VerifyTimestampResponse correctly verifies the certif...

CVE-2026-2396

Apr 14, 2026 23:26:07 UTC

The List View Google Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the event description in all versions up to, and including, 7.4.3 due to insufficient input sanitization and output escaping. This makes it ...

CVE-2026-39842

Apr 14, 2026 23:21:22 UTC

OpenRemote is an open-source IoT platform. Versions 1.21.0 and below contain two interrelated expression injection vulnerabilities in the rules engine that allow arbitrary code execution on the server. The JavaScript rules engine executes u...

CVE-2026-33414

Apr 14, 2026 22:42:19 UTC

Podman is a tool for managing OCI containers and pods. Versions 4.8.0 through 5.8.1 contain a command injection vulnerability in the HyperV machine backend in pkg/machine/hyperv/stubber.go, where the VM image path is inserted into a PowerSh...

CVE-2026-35031

Apr 14, 2026 22:18:30 UTC

Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the subtitle upload endpoint (POST /Videos/{itemId}/Subtitles), where the Format field is not validated, allowing path traversal...

CVE-2026-33021

Apr 14, 2026 21:57:22 UTC

libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain a use-after-free vulnerability in sixel_encoder_encode_bytes() because sixel_frame_init() stores the caller-owned pixel buffer p...

CVE-2026-0209

Apr 14, 2026 21:56:10 UTC

Under certain administrative conditions, FlashArray Purity may apply snapshot retention policies earlier or later than configured.

CVE-2026-0207

Apr 14, 2026 21:55:52 UTC

A vulnerability exists in FlashBlade whereby sensitive information may be logged under specific conditions.

CVE-2026-27305

Apr 14, 2026 21:53:57 UTC

ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vu...

CVE-2026-33018

Apr 14, 2026 21:45:42 UTC

libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain a Use-After-Free vulnerability via the load_gif() function in fromgif.c, where a single sixel_frame_t object is reused across al...

CVE-2024-12747

Apr 14, 2026 21:41:38 UTC

A flaw was found in rsync. This vulnerability arises from a race condition during rsync's handling of symbolic links. Rsync's default behavior when encountering symbolic links is to skip them. If an attacker replaced a regular file with a s...

CVE-2024-12087

Apr 14, 2026 21:41:38 UTC

A path traversal vulnerability exists in rsync. It stems from behavior enabled by the `--inc-recursive` option, a default-enabled option for many client options and can be enabled by the server even if not explicitly enabled by the client. ...

CVE-2024-12088

Apr 14, 2026 21:41:38 UTC

A flaw was found in rsync. When using the `--safe-links` option, the rsync client fails to properly verify if a symbolic link destination sent from the server contains another symbolic link within it. This results in a path traversal vulner...

CVE-2024-12085

Apr 14, 2026 21:41:26 UTC

A flaw was found in rsync which could be triggered when rsync compares file checksums. This flaw allows an attacker to manipulate the checksum length (s2length) to cause a comparison between a checksum and uninitialized memory and leak one ...