CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0CVE-2026-35342 – uutils coreutils mktemp Insecure Temporary File Placement via Empty TMPDIR
https://notcve.org/view.php?id=CVE-2026-35342
22 Apr 2026 — If the CWD is more permissive or accessible to other users than /tmp, it may lead to unintended information disclosure or unauthorized access to temporary data. • https://github.com/uutils/coreutils/pull/10566 • CWE-377: Insecure Temporary File •
CVSS: 6.1EPSS: 0%CPEs: -EXPL: 0CVE-2026-6861 – Emacs: emacs: memory corruption vulnerability when processing svg css
https://notcve.org/view.php?id=CVE-2026-6861
22 Apr 2026 — A local user could exploit this by convincing a victim to open a malicious SVG file, which may lead to a denial of service (DoS) or potentially information disclosure. • https://access.redhat.com/security/cve/CVE-2026-6861 • CWE-193: Off-by-one Error •
CVSS: 2.5EPSS: 0%CPEs: -EXPL: 0CVE-2026-6842 – Nano: nano: local attacker can inject malicious .desktop launcher due to insecure directory permissions
https://notcve.org/view.php?id=CVE-2026-6842
22 Apr 2026 — This allows the attacker to inject a malicious `.desktop` launcher, which could lead to unintended actions or information disclosure if the launcher is subsequently processed. • https://access.redhat.com/security/cve/CVE-2026-6842 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 2.7EPSS: 0%CPEs: 3EXPL: 0CVE-2026-6408 – Tanium addressed an information disclosure vulnerability in Tanium Server.
https://notcve.org/view.php?id=CVE-2026-6408
22 Apr 2026 — Tanium addressed an information disclosure vulnerability in Tanium Server. • https://security.tanium.com/TAN-2026-012 • CWE-522: Insufficiently Protected Credentials •
CVSS: 2.7EPSS: 0%CPEs: 2EXPL: 0CVE-2026-6392 – Tanium addressed an information disclosure vulnerability in Threat Response.
https://notcve.org/view.php?id=CVE-2026-6392
22 Apr 2026 — Tanium addressed an information disclosure vulnerability in Threat Response. • https://security.tanium.com/TAN-2026-011 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2026-40908 – WWBN AVideo has an Unauthenticated Information Disclosure via git.json.php that Exposes Developer Emails and Deployed Version
https://notcve.org/view.php?id=CVE-2026-40908
21 Apr 2026 — WWBN AVideo is an open source video platform. In versions 29.0 and prior, the file `git.json.php` at the web root executes `git log -1` and returns the full output as JSON to any unauthenticated user. This exposes the exact deployed commit hash (enabling version fingerprinting against known CVEs), developer names and email addresses (PII), and commit messages which may contain references to internal systems or security fixes. As of time of publication, no known patched versions are available. • https://github.com/WWBN/AVideo/security/advisories/GHSA-52hf-63q4-r926 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0CVE-2026-24189
https://notcve.org/view.php?id=CVE-2026-24189
21 Apr 2026 — A successful exploit of this vulnerability might lead to denial of service and information disclosure. • https://nvd.nist.gov/vuln/detail/CVE-2026-24189 • CWE-125: Out-of-bounds Read •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2026-24177
https://notcve.org/view.php?id=CVE-2026-24177
21 Apr 2026 — A successful exploit of this vulnerability might lead to information disclosure. • https://nvd.nist.gov/vuln/detail/CVE-2026-24177 • CWE-306: Missing Authentication for Critical Function •
CVSS: 4.9EPSS: 0%CPEs: 2EXPL: 0CVE-2026-26067 – October: Safe Mode Bypass via CSS Preprocessor Compilers
https://notcve.org/view.php?id=CVE-2026-26067
21 Apr 2026 — Prior to 3.7.14 and 4.1.10, a server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. • https://github.com/octobercms/october/security/advisories/GHSA-3888-q23f-x7qh • CWE-184: Incomplete List of Disallowed Inputs CWE-863: Incorrect Authorization •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2026-40498 – FreeScout has Authentication Bypass and Information Disclosure in SystemController via /system/cron
https://notcve.org/view.php?id=CVE-2026-40498
21 Apr 2026 — FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, an unauthenticated attacker can access diagnostic and system tools that should be restricted to administrators. The /system/cron endpoint relies on a static MD5 hash derived from the APP_KEY, which is exposed in the response and logs. Accessing these endpoints reveals sensitive server information (Full Path Disclosure), process IDs, and allows for Resource Exhaustion (DoS) by triggering heavy background tasks repeatedly ... • https://github.com/freescout-help-desk/freescout/commit/b1d6c2c601a6ec3626ab13e679607b5084dfbd38 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-284: Improper Access Control CWE-770: Allocation of Resources Without Limits or Throttling •