7.8

CVSS3.1

CVE-2026-35043 - BentoML: command injection in cloud deployment setup script (deployment.py)

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the cloud deployment path in src/bentoml/_internal/cloud/deployment.py was not included in the fix for CVE-2026-33744. Line 1648 interpolates system_packages directly into a sโ€ฆ

๐Ÿ“… Published: April 6, 2026, 5:10 p.m. ๐Ÿ”„ Last Modified: April 6, 2026, 5:10 p.m.

7.5

CVSS3.1

CVE-2026-35042 - fast-jwt accepts unknown `crit` header extensions (RFC 7515 ยง4.1.11 MUST violation)

fast-jwt provides fast JSON Web Token (JWT) implementation. In 6.1.0 and earlier, fast-jwt does not validate the crit (Critical) Header Parameter defined in RFC 7515 ยง4.1.11. When a JWS token contains a crit array listing extensions that fast-jwt does not understand, the library accepts the token iโ€ฆ

๐Ÿ“… Published: April 6, 2026, 5:02 p.m. ๐Ÿ”„ Last Modified: April 6, 2026, 5:17 p.m.

9.1

CVSS3.1

CVE-2026-35039 - fast-jwt Affected by Cache Confusion via cacheKeyBuilder Collisions Can Return Claims From a Differโ€ฆ

fast-jwt provides fast JSON Web Token (JWT) implementation. From 0.0.1 to before 6.1.0, setting up a custom cacheKeyBuilder method which does not properly create unique keys for different tokens can lead to cache collisions. This could cause tokens to be mis-identified during the verification proceโ€ฆ

๐Ÿ“… Published: April 6, 2026, 4:59 p.m. ๐Ÿ”„ Last Modified: April 6, 2026, 5:17 p.m.

7.2

CVSS3.1

CVE-2026-35037 - Ech0 affected by unauthenticated SSRF in GetWebsiteTitle allows access to internal services and cloโ€ฆ

Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, the GET /api/website/title endpoint accepts an arbitrary URL via the website_url query parameter and makes a server-side HTTP request to it without any validation of the target host or IP address. Theโ€ฆ

๐Ÿ“… Published: April 6, 2026, 4:56 p.m. ๐Ÿ”„ Last Modified: April 6, 2026, 5:17 p.m.

7.5

CVSS3.1

CVE-2026-35036 - Ech0 Affected by Unauthenticated Server-Side Request Forgery in Website Preview Feature

Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, Ech0 implements link preview (editor fetches a page title) through GET /api/website/title. That is legitimate product behavior, but the implementation is unsafe: the route is unauthenticated, accepts โ€ฆ

๐Ÿ“… Published: April 6, 2026, 4:55 p.m. ๐Ÿ”„ Last Modified: April 6, 2026, 5:17 p.m.

7.2

CVSS3.1

CVE-2026-35035 - CI4MS Company Information Public-Facing Page Full Platform Compromise & Full Account Takeover for Aโ€ฆ

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.2.0 , the application fails to properly sanitize user-controlled input within System Settings โ€“ Company Information. Several administrative conโ€ฆ

๐Ÿ“… Published: April 6, 2026, 4:49 p.m. ๐Ÿ”„ Last Modified: April 6, 2026, 5:17 p.m.

9.4

CVSS4.0

CVE-2026-35030 - LiteLLM has an authentication bypass via OIDC userinfo cache key collision

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, when JWT authentication is enabled (enable_jwt_auth: true), the OIDC userinfo cache uses token[:20] as the cache key. JWT headers produced by the same signing algorithm generate identical first 20โ€ฆ

๐Ÿ“… Published: April 6, 2026, 4:47 p.m. ๐Ÿ”„ Last Modified: April 6, 2026, 5:17 p.m.

8.7

CVSS4.0

CVE-2026-35029 - LiteLLM affected by privilege escalation via unrestricted proxy configuration endpoint

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, the /config/update endpoint does not enforce admin role authorization. A user who is already authenticated into the platform can then use this endpoint to modify proxy configuration and environmenโ€ฆ

๐Ÿ“… Published: April 6, 2026, 4:35 p.m. ๐Ÿ”„ Last Modified: April 6, 2026, 5:17 p.m.

7.1

CVSS4.0

CVE-2026-34992 - Missing Encryption of Sensitive Data in antrea.io/antrea

Antrea is a Kubernetes networking solution intended to be Kubernetes native. Prior to 2.4.5 and 2.5.2, a missing encryption vulnerability affects inter-Node Pod traffic. In Antrea clusters configured for dual-stack networking with IPsec encryption enabled (trafficEncryptionMode: ipsec), Antrea failโ€ฆ

๐Ÿ“… Published: April 6, 2026, 4:31 p.m. ๐Ÿ”„ Last Modified: April 6, 2026, 5:17 p.m.

6.9

CVSS4.0

CVE-2026-5669 - Cyber-III Student-Management-System Parameter login.php sql injection

A vulnerability has been found in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. This vulnerability affects unknown code of the file /login.php of the component Parameter Handler. Such manipulation of the argument Password leads to sql injection. It is possible โ€ฆ

๐Ÿ“… Published: April 6, 2026, 4:30 p.m. ๐Ÿ”„ Last Modified: April 6, 2026, 4:30 p.m.
Total resulsts: 342534
Page 2 of 34,254
ยซ previous page ยป next page
Filters