CVE-2026-40887

creationtimestamp| type| source ---|---|--- 2026-04-17 06:31:34+00:00| confirmed| https://github.com/projectdiscovery/nuclei-templates/tree/main/http/cves/2026/CVE-2026-40887.yaml 2026-04-19 21:03:03+00:00| seen| https://bsky.app/profile/beikokucyber.bsky.social/post/3mjuu2zdoll2i 2026-04-21...

GHSA-2MVX-F5QM-V2CH

creationtimestamp| type| source ---|---|--- 2026-04-16 23:18:29+00:00| published-proof-of-concept| Telegram/uUtOgPMgnfpzQaGdgE5uvRP8Wc5QVkmzi4lAg5HL6Ws0-I...

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function in several API endpoints that lack proper authentication checks. An attacker can access sensitive data, perform state-changing operations, and obtain internal configuration details by sending...

GHSA-944X-93JF-H3RX

creationtimestamp| type| source ---|---|--- 2026-04-16 21:20:19+00:00| published-proof-of-concept| Telegram/Aucjp3CgnELaS6Gr5NTHztcQZsmAAmJEC2bwRSYMi6Gi6QU...

GHSA-4FXQ-2X3X-6XQX zrok: Reflected XSS in GitHub OAuth callback via unsanitized refreshInterval error rendering

Summary The proxyUi template engine uses Go's text/template which performs no HTML escaping instead of html/template. The GitHub OAuth callback handlers in both publicProxy and dynamicProxy embed the attacker-controlled refreshInterval query parameter verbatim into an error message when...

zrok: Reflected XSS in GitHub OAuth callback via unsanitized refreshInterval error rendering

Summary The proxyUi template engine uses Go's text/template which performs no HTML escaping instead of html/template. The GitHub OAuth callback handlers in both publicProxy and dynamicProxy embed the attacker-controlled refreshInterval query parameter verbatim into an error message when...

CVE-2026-39857

creationtimestamp| type| source ---|---|--- 2026-04-16 20:45:15+00:00| published-proof-of-concept| https://github.com/advisories/GHSA-c276-fj82-f2pq...

Weblate: Authenticated SSRF via redirect bypass of ALLOWED_ASSET_DOMAINS in screenshot URL uploads

Impact The ALLOWEDASSETDOMAINS setting applied only to the first issued requests and didn't restrict possible redirects. Patches https://github.com/WeblateOrg/weblate/pull/18550 References This issue was reported by @spbavarva via GitHub...

GHSA-MQPH-7H49-HQFM Weblate: JavaScript localization CDN add-on allows arbitrary local file read outside the repository

Impact The translation memory API exposed unintended endpoints, which in turn didn't do proper access control. Patches https://github.com/WeblateOrg/weblate/pull/18516 Workarounds The CDN add-on is not enabled by default. References Thanks to @spbavarva for reporting this responsibly via GitHub...

GHSA-P2GH-CFQ4-4WJC

creationtimestamp| type| source ---|---|--- 2026-04-16 17:21:05+00:00| published-proof-of-concept| Telegram/YKX-6KXVqHKUWR-VRt4uZwi-aDyDZ2w2e-w4Y4gyD3o3fyw...

GHSA-5VJQ-5JMG-39XQ

creationtimestamp| type| source ---|---|--- 2026-04-16 14:49:49+00:00| seen| https://bsky.app/profile/andrewnez.mastodon.social.ap.brid.gy/post/3mjmnsikjzws2...

GHSA-JG4P-7FHP-P32P vulnerabilities

Vulnerabilities for packages: opensearch-dashboards-fips, kibana, opensearch-dashboards...

MAL-2026-2729 Malicious code in apl-github-test (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fc746d95b286b0c3dde3aa7d5d3287da638b8a02ceed430f372112f1f563686a The package apl-github-test was found to contain malicious code...

Malicious code in apl-github-test (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fc746d95b286b0c3dde3aa7d5d3287da638b8a02ceed430f372112f1f563686a The package apl-github-test was found to contain malicious code...

PT-2026-33378

Summary The proxyUi template engine uses Go's text/template which performs no HTML escaping instead of html/template. The GitHub OAuth callback handlers in both publicProxy and dynamicProxy embed the attacker-controlled refreshInterval query parameter verbatim into an error message when...

CVE-2026-40316

OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Versions prior to 2.1.1 contain an RCE vulnerability in the .github/workflows/regenerate-migrations.yml workflow. The workflow uses the pullrequesttarget trigger to run wit...

CVE-2026-40316 OWASP BLT has RCE in Github Actions via untrusted Django model execution in workflow

OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Versions prior to 2.1.1 contain an RCE vulnerability in the .github/workflows/regenerate-migrations.yml workflow. The workflow uses the pullrequesttarget trigger to run wit...

CVE-2026-40316 OWASP BLT has RCE in Github Actions via untrusted Django model execution in workflow

OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Versions prior to 2.1.1 contain an RCE vulnerability in the .github/workflows/regenerate-migrations.yml workflow. The workflow uses the pullrequesttarget trigger to run wit...

CVE-2026-40316

CVE-2026-40316 (OWASP BLT) affects versions prior to 2.1.1. A RCE exists in the .github/workflows/regenerate-migrations.yml workflow due to using pull_request_target with full GITHUB_TOKEN write permissions. The workflow copies attacker-controlled files from untrusted PRs into the trusted runner ...

GHSA-78X4-6X83-JX75

creationtimestamp| type| source ---|---|--- 2026-04-15 19:21:23+00:00| seen| Telegram/7Ck-SXA1c6Vf9FqVW81avKVix-fYO39OzelndhESQPxXBQ...