Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
0.0 NA
CVE-2026-40581 — ChurchCRM: Cross-Site Request Forgery (CSRF) in SelectDelete.php Leading to Permanent Dat…

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the family record deletion endpoint (SelectDelete.php) performs permanent, irreversible deletion of family records an…

| Cross-Site Request Forgery
Apr 17, 2026 Apr 17, 2026
Apr 17, 2026
Apr 17, 2026
0.0 NA
CVE-2026-40337 — Sentry kernel has incomplete ownership check for IRQ line manipulation

The Sentry kernel is a high security level micro-kernel implementation made for high security embedded systems. A given task with one of the DEV or IO capability is able to interact with another task…

| Denial of Service
Apr 17, 2026 Apr 17, 2026
Apr 17, 2026
Apr 17, 2026
0.0 NA
CVE-2026-40341 — libgphoto2 has an OOB Read in ptp_unpack_EOS_FocusInfoEx

libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, an out of bound read in ptp_unpack_EOS_FocusInfoEx could be used to crash libgphoto2 when processing input f…

| Memory Corruption
Apr 17, 2026 Apr 17, 2026
Apr 17, 2026
Apr 17, 2026
0.0 NA
CVE-2026-40340 — libgphoto2 has OOB read in ptp_unpack_OI() in ptp-pack.c via malicious PTP ObjectInfo res…

libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have an out-of-bounds read vulnerability in `ptp_unpack_OI()` in `camlibs/ptp2/ptp-pack.c` (lines 530–563). The …

| Memory Corruption
Apr 17, 2026 Apr 17, 2026
Apr 17, 2026
Apr 17, 2026
0.0 NA
CVE-2026-40339 — libgphoto2 has OOB read in ptp_unpack_Sony_DPD() FormFlag parsing in ptp-pack.c

libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have an out-of-bounds read in `ptp_unpack_Sony_DPD()` in `camlibs/ptp2/ptp-pack.c` (line 842). The function read…

| Memory Corruption
Apr 17, 2026 Apr 17, 2026
Apr 17, 2026
Apr 17, 2026
0.0 NA
CVE-2026-40338 — libgphoto2 has OOB read in ptp_unpack_Sony_DPD() enumeration count parsing in ptp-pack.c

libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have an out-of-bounds read in the PTP_DPFF_Enumeration case of `ptp_unpack_Sony_DPD()` in `camlibs/ptp2/ptp-pack…

| Memory Corruption
Apr 17, 2026 Apr 17, 2026
Apr 17, 2026
Apr 17, 2026
0.0 NA
CVE-2026-40485 — ChurchCRM: Username Enumeration via Differential Response in Public Login API

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the public API login endpoint (/api/public/user/login) returns distinguishable HTTP response codes based on whether a…

| Information Disclosure
Apr 17, 2026 Apr 17, 2026
Apr 17, 2026
Apr 17, 2026
0.0 NA
CVE-2026-40336 — libgphoto2 has memory leak in ptp_unpack_Sony_DPD() secondary enumeration list in ptp-pac…

libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have a memory leak in `ptp_unpack_Sony_DPD()` in `camlibs/ptp2/ptp-pack.c` (lines 884–885). When processing a se…

| Memory Corruption
Apr 17, 2026 Apr 17, 2026
Apr 17, 2026
Apr 17, 2026
0.0 NA
CVE-2026-2262 — Easy Appointments <= 3.12.21 - Unauthenticated Sensitive Information Exposure via REST API

The Easy Appointments plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.12.21 via the `/wp-json/wp/v2/eablocks/ea_appointments/` REST API en…

| Information Disclosure
Apr 17, 2026 Apr 17, 2026
Apr 17, 2026
Apr 17, 2026
0.0 NA
CVE-2026-40484 — ChurchCRM: Authenticated Remote Code Execution via Unrestricted PHP File Write in Databas…

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the database backup restore functionality extracts uploaded archive contents and copies files from the Images/ direct…

| Path Traversal
Apr 17, 2026 Apr 17, 2026
Apr 17, 2026
Apr 17, 2026
0.0 NA
CVE-2026-40483 — ChurchCRM: Stored XSS in PledgeEditor.php via Donation Comment Field

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the Pledge Editor renders donation comment values directly into HTML input value attributes without escaping via html…

| Cross-Site Scripting
Apr 17, 2026 Apr 17, 2026
Apr 17, 2026
Apr 17, 2026
0.0 NA
CVE-2026-40335 — libgphoto2 has OOB read in ptp_unpack_DPV() UINT128/INT128 handling in ptp-pack.c

libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have an out-of-bounds read in `ptp_unpack_DPV()` in `camlibs/ptp2/ptp-pack.c` (lines 622–629). The UINT128 and I…

| Memory Corruption
Apr 17, 2026 Apr 17, 2026
Apr 17, 2026
Apr 17, 2026
0.0 NA
CVE-2026-40334 — libgphoto2 missing null termination in ptp_unpack_Canon_FE() filename buffer in ptp-pack.c

libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, a missing null terminator exists in ptp_unpack_Canon_FE() in camlibs/ptp2/ptp-pack.c (line 1377). The functi…

| Memory Corruption
Apr 17, 2026 Apr 17, 2026
Apr 17, 2026
Apr 17, 2026
0.0 NA
CVE-2026-40582 — ChurchCRM: Authentication Bypass in `/api/public/user/login` Allows Bypass of 2FA and Acc…

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/user/login endpoint validates only the username and password before returning the user's API key, byp…

| Authentication
Apr 17, 2026 Apr 17, 2026
Apr 17, 2026
Apr 17, 2026
4.3 MEDIUM
CVE-2026-40486 — Kimai's User Preferences API allows standard users to modify restricted attributes: hourl…

Kimai is an open-source time tracking application. In versions 2.52.0 and below, the User Preferences API endpoint (PATCH /api/users/{id}/preferences) applies submitted preference values without chec…

Remote | Authorization
Apr 17, 2026 Apr 17, 2026
Apr 17, 2026
Apr 17, 2026
8.2 HIGH
CVE-2026-40481 — monetr: Unauthenticated Stripe webhook reads attacker-sized request bodies before signatu…

monetr is a budgeting application for recurring expenses. In versions 1.12.3 and below, the public Stripe webhook endpoint buffers the entire request body into memory before validating the Stripe sig…

Remote | Denial of Service
Apr 17, 2026 Apr 17, 2026
Apr 17, 2026
Apr 17, 2026
5.4 MEDIUM
CVE-2026-40479 — Kimai: Stored XSS via Incomplete HTML Attribute Escaping in Team Member Widget

Kimai is an open-source time tracking application. In versions 1.16.3 through 2.52.0, the escapeForHtml() function in KimaiEscape.js does not escape double quote or single quote characters. When a us…

Remote | Cross-Site Scripting
Apr 17, 2026 Apr 17, 2026
Apr 17, 2026
Apr 17, 2026
6.4 MEDIUM
CVE-2026-2434 — Pz-LinkCard <= 2.5.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Sho…

The Pz-LinkCard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blogcard' shortcode attributes in all versions up to, and including, 2.5.8.1 due to insufficient input sanit…

Remote | Cross-Site Scripting
Apr 17, 2026 Apr 17, 2026
Apr 17, 2026
Apr 17, 2026
0.0 NA
CVE-2026-40333 — libgphoto2 has OOB read in ptp_unpack_EOS_ImageFormat() and ptp_unpack_EOS_CustomFuncEx()…

libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, two functions in camlibs/ptp2/ptp-pack.c accept a data pointer but no length parameter, performing unbounded…

| Memory Corruption
Apr 17, 2026 Apr 17, 2026
Apr 17, 2026
Apr 17, 2026
0.0 NA
CVE-2026-40480 — ChurchCRM has Missing Object-Level Authorization / IDOR in `/api/person/{personId}`

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the GET /api/person/{personId} endpoint loads and returns person records without performing object-level authorizatio…

| Authorization
Apr 17, 2026 Apr 17, 2026
Apr 17, 2026
Apr 17, 2026
Showing 20 of 6508 Results