LOW - zero redgem

Recent Advisories

Severity	ID	Title	Vendor	Product	Date	Type
LOW 2.3	CVE-2026-39957	Lychee has Broken Access Control in SharingController::listAll() leaks private album sharing metadata to unauthorized users_CVE-2026-39957 Lychee is a free, open-source photo-management tool. Prior to 7.5.4, a SQL operator-precedence bug in SharingController::listAll() causes the orWhe...	LycheeOrg	Lychee < 7.5.4	Apr 9, 2026	CVE
LOW 1.7	CVE-2026-40072	web3.py affected by SSRF via CCIP Read (EIP-3668) OffchainLookup URL handling_CVE-2026-40072 web3.py allows you to interact with the Ethereum blockchain using Python. From 6.0.0b3 to before 7.15.0 and 8.0.0b2, web3.py implements CCIP Read /...	ethereum	web3.py >= 6.0.0b3, < 7.15.0	Apr 9, 2026	CVE
LOW 2.3	CVE-2026-34988	Wasmtime leaks data between pooling allocator instances_CVE-2026-34988 Wasmtime is a runtime for WebAssembly. From 28.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of its pooling allocator contain...	bytecodealliance	wasmtime >= 28.0.0, < 36.0.7	Apr 9, 2026	CVE
LOW 1	CVE-2026-34983	Wasmtime has a use-after-free bug after cloning `wasmtime::Linker`_CVE-2026-34983 Wasmtime is a runtime for WebAssembly. In 43.0.0, cloning a wasmtime::Linker is unsound and can result in use-after-free bugs. This bug is not cont...	bytecodealliance	wasmtime >= 43.0.0, < 43.0.1	Apr 9, 2026	CVE
LOW 2.3	CVE-2026-34945	Wasmtime leaks host data with 64-bit tables and Winch_CVE-2026-34945 Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a bug where a 64-bit ta...	bytecodealliance	wasmtime >= 25.0.0, < 36.0.7	Apr 9, 2026	CVE
LOW 3.5	CVE-2026-40077	Beszel has an IDOR in hub API endpoints that read system ID from URL parameter_CVE-2026-40077 Beszel is a server monitoring platform. Prior to 0.18.7, some API endpoints in the Beszel hub accept a user-supplied system ID and proceed without ...	henrygd	beszel < 0.18.7	Apr 9, 2026	CVE
LOW 3.3	H1:3665363	curl: Integer Overflow/Signedness Mismatch in Printf Precision for HTTP/2 Trailer Headers_H1:3665363 # BUG IN https://raw.githubusercontent.com/curl/curl/07a9b89fedaec60bdbc254f23f66149b31d2f8da/lib/http2.c ```c if(stream->bodystarted) { /* T...	N/A	N/A	Apr 11, 2026	HACKERONE
LOW 2.3	CVE-2026-5187	Heap Out-of-Bounds Write in DecodeObjectId() in wolfSSL_CVE-2026-5187 Two potential heap out-of-bounds write locations existed in DecodeObjectId() in wolfcrypt/src/asn.c. First, a bounds check only validates one avail...	wolfSSL	wolfSSL	Apr 9, 2026	CVE
LOW 3.1	CVE-2026-40109	Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering_CVE-2026-40109 Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receive...	fluxcd	notification-controller < 1.8.3	Apr 9, 2026	CVE
LOW 2.3	CVE-2026-35624	OpenClaw < 2026.3.22 - Policy Confusion via Room Name Collision in Nextcloud Talk_CVE-2026-35624 OpenClaw before 2026.3.22 contains a policy confusion vulnerability in room authorization that matches colliding room names instead of stable room ...	OpenClaw	OpenClaw	Apr 9, 2026	CVE