CVSS: 4.8EPSS: 0%CPEs: -EXPL: 0CVE-2026-6997 – BDCOM P3310D New RMON History cross site scripting
https://notcve.org/view.php?id=CVE-2026-6997
25 Apr 2026 — A security vulnerability has been detected in BDCOM P3310D 0.4.2 10.1.0F Build 86345. This impacts an unknown function of the component New RMON History Page. The manipulation of the argument Owner leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. • https://vuldb.com/submit/797248 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.8EPSS: 0%CPEs: -EXPL: 0CVE-2026-6996 – BDCOM P3310D rmon event Tab cross site scripting
https://notcve.org/view.php?id=CVE-2026-6996
25 Apr 2026 — A weakness has been identified in BDCOM P3310D 0.4.2 10.1.0F Build 86345. This affects an unknown function of the component rmon event Tab. Executing a manipulation of the argument Description can lead to cross site scripting. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. • https://vuldb.com/submit/797247 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.8EPSS: 0%CPEs: -EXPL: 0CVE-2026-6995 – BDCOM P3310D New User index.asp cross site scripting
https://notcve.org/view.php?id=CVE-2026-6995
25 Apr 2026 — A security flaw has been discovered in BDCOM P3310D 0.4.2 10.1.0F Build 86345. The impacted element is an unknown function of the file /index.asp of the component New User Page. Performing a manipulation of the argument User name results in cross site scripting. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. • https://vuldb.com/submit/797242 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.1EPSS: 0%CPEs: 1EXPL: 1CVE-2026-6990 – projeto-siga novo cross site scripting
https://notcve.org/view.php?id=CVE-2026-6990
25 Apr 2026 — A vulnerability was found in projeto-siga siga 11.0.3.18. The affected element is an unknown function of the file /sigawf/app/responsavel/novo. Performing a manipulation of the argument Nome/Descrição results in cross site scripting. The attack can be initiated remotely. The exploit has been made public and could be used. • https://github.com/ViniCastro2001/Security_Reports/tree/main/siga/Stored-XSS-Responsavel • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2026-6951
https://notcve.org/view.php?id=CVE-2026-6951
25 Apr 2026 — Versions of the package simple-git before 3.36.0 are vulnerable to Remote Code Execution (RCE) due to an incomplete fix for [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221) that blocks the -c option but not the equivalent --config form. If untrusted input can reach the options argument passed to simple-git, an attacker may still achieve remote code execution by enabling protocol.ext.allow=always and using an ext:: clone ... • https://gist.github.com/KKC73/02d1d97f3410756095b501fda0ac8ca6 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 1CVE-2026-41473 – CyberPanel < 2.4.4 Unauthenticated API Access via AI Scanner Endpoints
https://notcve.org/view.php?id=CVE-2026-41473
24 Apr 2026 — CyberPanel versions prior to 2.4.4 contain an authentication bypass vulnerability in the AI Scanner worker API endpoints that allows unauthenticated remote attackers to write arbitrary data to the database by sending requests to the /api/ai-scanner/status-webhook and /api/ai-scanner/callback endpoints. • https://itsrez.re/post/cyberpanel-rce • CWE-306: Missing Authentication for Critical Function •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2026-41472 – CyberPanel < 2.4.4 Stored XSS via AI Scanner Dashboard
https://notcve.org/view.php?id=CVE-2026-41472
24 Apr 2026 — Attackers can inject JavaScript that executes in an administrator's authenticated session when they visit the AI Scanner dashboard, allowing them to issue same-origin requests to plant cron jobs and achieve remote code execution on the server. • https://itsrez.re/post/cyberpanel-rce • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2026-41421 – SiYuan Desktop Notification XSS Leads to Electron RCE
https://notcve.org/view.php?id=CVE-2026-41421
24 Apr 2026 — As a result, JavaScript executed from the notification sink can directly access Node APIs and escalate to desktop code execution. • https://github.com/siyuan-note/siyuan/security/advisories/GHSA-grjj-6f6g-cq8q • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0CVE-2026-41414 – Skim: Arbitrary code execution via pull_request_target fork checkout in pr.yml
https://notcve.org/view.php?id=CVE-2026-41414
24 Apr 2026 — The generate-files job in .github/workflows/pr.yml checks out attacker-controlled fork code and executes it via cargo run, with access to SKIM_RS_BOT_PRIVATE_KEY and GITHUB_TOKEN (contents:write). • https://github.com/skim-rs/skim/commit/bf63404ad51985b00ed304690ba9d477860a5a75 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 1CVE-2026-39920 – BridgeHead FileStore < 24A Apache Axis2 Default Credentials RCE
https://notcve.org/view.php?id=CVE-2026-39920
24 Apr 2026 — BridgeHead FileStore versions prior to 24A (released in early 2024) expose the Apache Axis2 administration module on network-accessible endpoints with default credentials that allows unauthenticated remote attackers to execute arbitrary OS commands. Attackers can authenticate to the admin console using default credentials, upload a malicious Java archive as a web service, and execute arbitrary commands on the host via SOAP requests to the deployed service. • https://www.vulncheck.com/advisories/bridgehead-filestore-24a-apache-axis2-default-credentials-rce • CWE-1188: Initialization of a Resource with an Insecure Default CWE-1391: Use of Weak Credentials •