2026-04-18
2026-04-18 01:16Z
HIGH

CVE-2026-40350 — Leepeuker Movary: Prior to version 0.71.1, an ordinary authenticated user can access the user-management endpoints `/settings/users`

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40350

Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can access the user-management endpoints `/settings/users` and use them to enumerate all users and create a new administrator account. This happens because the route definitions do not enforce admin-only middleware, and the controller-level authorization check uses a broken boolean condition. As a result, any user with a valid web session cookie c CVSSv3.1 8.8 (HIGH) · EPSS 14th percentile

CWECWE 863VNDLeepeukerVNDMovaryTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-18
2026-04-18 01:16Z
CRIT

CVE-2026-40317 — Minecanton209 Novumos: In versions prior to 0.24, Syscall 12 (JumpToUser) accepts an arbitrary entry point address

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40317

NovumOS is a custom 32-bit operating system written in Zig and x86 Assembly. In versions prior to 0.24, Syscall 12 (JumpToUser) accepts an arbitrary entry point address from user-space registers without validation, allowing any Ring 3 user-mode process to jump to kernel addresses and execute arbitrary code in Ring 0 context, resulting in local privilege escalation. This issue has been fixed in version 0.24. If developers are unable to immediately update, they should restrict CVSSv3.1 9.3 (CRITICAL) · EPSS 6th percentile

CWECWE 269CWECWE 20VNDMinecanton209VNDNovumosTYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2026-04-18
2026-04-18 00:16Z
HIGH

CVE-2026-40349 — Leepeuker Movary: Prior to version 0.71.1, an ordinary authenticated user can escalate their own account to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40349

Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can escalate their own account to administrator by sending `isAdmin=true` to `PUT /settings/users/{userId}` for their own user ID. The endpoint is intended to let a user edit their own profile, but it updates the sensitive `isAdmin` field without any admin-only authorization check. Version 0.71.1 patches the issue. CVSSv3.1 8.8 (HIGH) · EPSS 3th percentile

CWECWE 862VNDLeepeukerVNDMovaryTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-18
2026-04-18 00:16Z
CRIT

CVE-2026-40324 — Hot: This occurs before any validation rules run — `MaxExecutionDepth`, complexity analyzers, persisted query allow-lists

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40324

Hot Chocolate is an open-source GraphQL server. Prior to versions 12.22.7, 13.9.16, 14.3.1, and 15.1.14, Hot Chocolate's recursive descent parser `Utf8GraphQLParser` has no recursion depth limit. A crafted GraphQL document with deeply nested selection sets, object values, list values, or list types can trigger a `StackOverflowException` on payloads as small as 40 KB. Because `StackOverflowException` is uncatchable in .NET (since .NET 2.0), the entire worker process is termina CVSSv3.1 9.1 (CRITICAL) · EPSS 13th percentile

CWECWE 674VNDHotTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2026-04-18
2026-04-18 00:09Z
MED

A few more protocol handlers :), Part 2

Hexacorn·hexacorn.com

Hexacorn documents newly discovered Windows 11 25H2 protocol handlers, expanding a multi-year catalog of custom URI schemes that can be abused for code execution and defense evasion. The post identifies 30+ new handlers including ms-recall, ms-devhome, ms-launchremotedesktop, and others that may present attack surface for protocol handler exploitation.

SRFOsTACTA0001VNDMicrosoftTYPResearchSTGInitial Access
68
Edit Score
2026-04-17
2026-04-17 22:16Z
CRIT

CVE-2026-5720 — Miniupnp_project Miniupnpd: contains an integer underflow vulnerability in SOAPAction header parsing that allows remote attackers

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-5720

miniupnpd contains an integer underflow vulnerability in SOAPAction header parsing that allows remote attackers to cause a denial of service or information disclosure by sending a malformed SOAPAction header with a single quote. Attackers can trigger an out-of-bounds memory read by exploiting improper length validation in ParseHttpHeaders(), where the parsed length underflows to a large unsigned value when passed to memchr(), causing the process to scan memory far beyond the CVSSv3.1 9.1 (CRITICAL) · EPSS 19th percentile

CWECWE 125CWECWE 191VNDMiniupnp ProjectTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2026-04-17
2026-04-17 22:16Z
CRIT

CVE-2026-40478 — Thymeleaf Thymeleaf: Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40478

Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine CVSSv3.1 9.0 (CRITICAL) · EPSS 12th percentile

CWECWE 1336CWECWE 917VNDThymeleafTYPVulnerability
9.0
CVSS v3.1
95
Edit Score
728 × 90 / responsive · programmatic ad slot
2026-04-17
2026-04-17 22:16Z
CRIT

CVE-2026-40477 — Thymeleaf Thymeleaf: Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40477

Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly restrict the scope of accessible objects, allowing specific potentially sensitive objects to be reached from within a template. If an application developer passes unvalidated user input d CVSSv3.1 9.0 (CRITICAL) · EPSS 12th percentile

CWECWE 1336CWECWE 917VNDThymeleafTYPVulnerability
9.0
CVSS v3.1
95
Edit Score
2026-04-17
2026-04-17 22:16Z
HIGH

CVE-2026-40352 — Fastgpt Fastgpt: In versions prior to 4.14.9.5, the password change endpoint is vulnerable to NoSQL injection.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40352

FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password change endpoint is vulnerable to NoSQL injection. An authenticated attacker can bypass the "old password" verification by injecting MongoDB query operators. This allows an attacker who has gained a low-privileged session to change the password of their account (or others if combined with ID manipulation) without knowing the current one, leading to full account takeover and persistence. This CVSSv3.1 8.8 (HIGH) · EPSS 9th percentile

CWECWE 943VNDFastgptTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-17
2026-04-17 22:16Z
CRIT

CVE-2026-40351 — Fastgpt Fastgpt: This NoSQL injection bypasses the password check, enabling login as any user including the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40351

FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password-based login endpoint uses TypeScript type assertion without runtime validation, allowing an unauthenticated attacker to pass a MongoDB query operator object (e.g., {"$ne": ""}) as the password field. This NoSQL injection bypasses the password check, enabling login as any user including the root administrator. This issue has been fixed in version 4.14.9.5. CVSSv3.1 9.8 (CRITICAL) · EPSS 19th percentile

CWECWE 943VNDFastgptTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-17
2026-04-17 22:16Z
HIGH

CVE-2026-40321 — Dnnsoftware Dotnetnuke: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40321

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.2.2, a user could upload a specially crafted SVG file that could include scripts that can target both authenticated and unauthenticated DNN users. The impact is increased if the scripts are run by a power user. Version 10.2.2 patches the issue. CVSSv3.1 8.0 (HIGH)

CWECWE 87VNDDnnsoftwareVNDDnnTYPVulnerability
8.0
CVSS v3.1
90
Edit Score
2026-04-17
2026-04-17 22:16Z
CRIT

CVE-2026-40258 — Gramps: Versions 1.6.0 through 3.11.0 have a path traversal vulnerability (Zip Slip) in the media

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40258

The Gramps Web API is a Python REST API for the genealogical research software Gramps. Versions 1.6.0 through 3.11.0 have a path traversal vulnerability (Zip Slip) in the media archive import feature. An authenticated user with owner-level privileges can craft a malicious ZIP file with directory-traversal filenames to write arbitrary files outside the intended temporary extraction directory on the server's local filesystem. Startig in version 3.11.1, ZIP entry names are now v CVSSv3.1 9.1 (CRITICAL) · EPSS 21th percentile

CWECWE 22VNDGrampsTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2026-04-17
2026-04-17 22:16Z
CRIT

CVE-2026-29013 — Libcoap Libcoap: contains out-of-bounds read vulnerabilities in OSCORE Appendix B.2 CBOR unwrap handling where get_byte_inc()

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-29013

libcoap contains out-of-bounds read vulnerabilities in OSCORE Appendix B.2 CBOR unwrap handling where get_byte_inc() in src/oscore/oscore_cbor.c relies solely on assert() for bounds checking, which is removed in release builds compiled with NDEBUG. Attackers can send crafted CoAP requests with malformed OSCORE options or responses during OSCORE negotiation to trigger out-of-bounds reads during CBOR parsing and potentially cause out-of-bounds reads through integer wraparound i CVSSv3.1 9.8 (CRITICAL) · EPSS 14th percentile

CWECWE 125VNDLibcoapTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-17
2026-04-17 21:16Z
HIGH

CVE-2026-40196 — Sysadminsmedia Homebox: Versions prior to 0.25.0 contain a vulnerability where the defaultGroup ID remained permanently assigned

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40196

HomeBox is a home inventory and organization system. Versions prior to 0.25.0 contain a vulnerability where the defaultGroup ID remained permanently assigned to a user after being invited to a group, even after their access to that group was revoked. While the web interface correctly enforced the access revocation and prevented the user from viewing or modifying the group's contents, the API did not. Because the original group ID persisted as the user's defaultGroup, and this CVSSv3.1 8.1 (HIGH)

CWECWE 708VNDSysadminsmediaVNDHomeboxTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-04-17
2026-04-17 21:16Z
HIGH

CVE-2026-35512 — Neutrinolabs Xrdp: Versions through 0.10.5 have a heap-based buffer overflow in the EGFX (graphics dynamic virtual

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-35512

xrdp is an open source RDP server. Versions through 0.10.5 have a heap-based buffer overflow in the EGFX (graphics dynamic virtual channel) implementation due to insufficient validation of client-controlled size parameters, allowing an out-of-bounds write via crafted PDUs. Pre-authentication exploitation can crash the process, while post-authentication exploitation may achieve remote code execution. This issue has been fixed in version 0.10.6. If users are unable to immediate CVSSv3.1 8.8 (HIGH) · EPSS 75th percentile

CWECWE 122VNDNeutrinolabsVNDRdpTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-17
2026-04-17 21:16Z
CRIT

CVE-2026-33689 — Neutrinolabs Xrdp: Versions through 0.10.5 have an out-of-bounds read vulnerability in the pre-authentication RDP message parsing

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-33689

xrdp is an open source RDP server. Versions through 0.10.5 have an out-of-bounds read vulnerability in the pre-authentication RDP message parsing logic. A remote, unauthenticated attacker can trigger this flaw by sending a specially crafted sequence of packets during the initial connection phase. This vulnerability results from insufficient validation of input buffer lengths before processing dynamic channel communication. Successful exploitation can lead to a denial-of-servi CVSSv3.1 9.1 (CRITICAL) · EPSS 48th percentile

CWECWE 125VNDNeutrinolabsVNDRdpTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2026-04-17
2026-04-17 21:16Z
CRIT

CVE-2026-23500 — Dolibarr Dolibarr_erp\/crm: An authenticated administrator can inject arbitrary OS commands via this constant using command separators

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-23500

Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions prior to 23.0.0 , the ODT to PDF conversion process in odf.php concatenates the MAIN_ODT_AS_PDF configuration constant directly into a shell command passed to exec() without sanitization. An authenticated administrator can inject arbitrary OS commands via this constant using command separators, achieving remote code execution as the web server user when a CVSSv3.1 9.1 (CRITICAL) · EPSS 35th percentile

CWECWE 78VNDDolibarrTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2026-04-17
2026-04-17 20:35Z
HIGH

Metasploit Wrap-Up 17/04/2026

Metasploit Framework 6.4.126–6.4.128 shipped seven new modules including four RCE exploits (AVideo SQLi credential dump, openDCIM chained SQLi-to-RCE, Selenium Grid/Selenoid unauthenticated RCE, ChurchCRM file upload RCE) and three Windows persistence techniques (BITS jobs, PowerShell profiles, Telemetry scheduled tasks). The Selenium module notably unifies prior separate exploits and includes a never-patched Firefox profile handler injection technique dating to 2021.

SRFApplicationSRFOsTACTA0004TACTA0005SRFWebTACTA0003VNDMicrosoftVNDRapid7
72
Edit Score
2026-04-17
2026-04-17 20:16Z
HIGH

CVE-2026-40434 — Anviz Crosschex_standard: CrossChex Standard lacks source verification in the client/server channel, enabling TCP packet injection

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40434

Anviz CrossChex Standard lacks source verification in the client/server channel, enabling TCP packet injection by an attacker on the same network to alter or disrupt application traffic. CVSSv3.1 8.1 (HIGH) · EPSS 7th percentile

CWECWE 940VNDAnvizTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-04-17
2026-04-17 20:16Z
CRIT

CVE-2026-40342 — Firebirdsql Firebird: An authenticated user with CREATE FUNCTION privileges can use a crafted ENGINE name to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40342

Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the external engine plugin loader concatenates a user-supplied engine name into a filesystem path without filtering path separators or .. components. An authenticated user with CREATE FUNCTION privileges can use a crafted ENGINE name to load an arbitrary shared library from anywhere on the filesystem via path traversal. The library's initialization code executes imm CVSSv3.1 9.9 (CRITICAL) · EPSS 25th percentile

CWECWE 94CWECWE 22CWECWE 73CWECWE 427VNDFirebirdsqlVNDFirebirdTYPVulnerability
9.9
CVSS v3.1
100
Edit Score
2026-04-17
2026-04-17 20:16Z
HIGH

CVE-2026-40066 — Anviz Cx7_firmware: CX2 Lite and CX7 are vulnerable to unverified update packages that can be

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40066

Anviz CX2 Lite and CX7 are vulnerable to unverified update packages that can be uploaded. The device unpacks and executes a script resulting in unauthenticated remote code execution. CVSSv3.1 8.8 (HIGH) · EPSS 8th percentile

CWECWE 494VNDAnvizTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-17
2026-04-17 20:16Z
HIGH

CVE-2026-35682 — Anviz Cx2_lite_firmware: CX2 Lite is vulnerable to an authenticated command injection via a filename parameter

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-35682

Anviz CX2 Lite is vulnerable to an authenticated command injection via a filename parameter that enables arbitrary command execution (e.g., starting telnetd), resulting in root‑level access. CVSSv3.1 8.8 (HIGH) · EPSS 50th percentile

CWECWE 77VNDAnvizTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-17
2026-04-17 20:16Z
CRIT

CVE-2026-35546 — Anviz Cx7_firmware: CX2 Lite and CX7 are vulnerable to unauthenticated firmware uploads.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-35546

Anviz CX2 Lite and CX7 are vulnerable to unauthenticated firmware uploads. This causes crafted archives to be accepted, enabling attackers to plant and execute code and obtain a reverse shell. CVSSv3.1 9.8 (CRITICAL) · EPSS 23th percentile

CWECWE 306VNDAnvizTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-17
2026-04-17 20:16Z
CRIT

CVE-2026-33516 — Neutrinolabs Xrdp: Versions through 0.10.5 contain an out-of-bounds read vulnerability during the RDP capability exchange phase.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-33516

xrdp is an open source RDP server. Versions through 0.10.5 contain an out-of-bounds read vulnerability during the RDP capability exchange phase. The issue occurs when memory is accessed before validating the remaining buffer length. A remote, unauthenticated attacker can trigger this vulnerability by sending a specially crafted Confirm Active PDU. Successful exploitation could lead to a denial of service (process crash) or potential disclosure of sensitive information from th CVSSv3.1 9.1 (CRITICAL) · EPSS 40th percentile

CWECWE 125VNDNeutrinolabsVNDRdpTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2026-04-17
2026-04-17 20:16Z
HIGH

CVE-2026-32623 — Neutrinolabs Xrdp: Versions through 0.10.5 contain a heap-based buffer overflow vulnerability in the NeutrinoRDP module.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-32623

xrdp is an open source RDP server. Versions through 0.10.5 contain a heap-based buffer overflow vulnerability in the NeutrinoRDP module. When proxying RDP sessions from xrdp to another server, the module fails to properly validate the size of reassembled fragmented virtual channel data against its allocated memory buffer. A malicious downstream RDP server (or an attacker capable of performing a Man-in-the-Middle attack) could exploit this flaw to cause memory corruption, pote CVSSv3.1 8.1 (HIGH) · EPSS 65th percentile

CWECWE 122VNDNeutrinolabsVNDRdpTYPVulnerability
8.1
CVSS v3.1
91
Edit Score