From DHS/US-CERT's National Vulnerability Database
core/classes/db_backup.php in Gila CMS 1.10.1 allows admin/db_backup?download= absolute path traversal to read arbitrary files.
Zoho ManageEngine ADSelfService Plus before build 5708 has XSS via the mobile app API.
The File Manager in CMS Made Simple through 2.2.10 has Reflected XSS via the "New name" field in a Rename action.
User/Command/ConfirmEmailHandler.php in Flarum before 0.1.0-beta.8 mishandles invalidation of user email tokens.
In GraphicsMagick from version 1.3.30 to 1.4 snapshot-20190403 Q8, there is a heap-based buffer overflow in the function WriteMATLABImage of coders/mat.c, which allows an attacker to cause a denial of service or possibly have unspecified other impact via a crafted image file. This is related to Expo...