|
1101
|
- |
|
-
|
-
|
Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, a broken access control vulnerability in the helpdesk attachment viewer allows any authenticated user to view atta…
|
CWE-284
CWE-639
Improper Access Control
Authorization Bypass Through User-Controlled Key
|
CVE-2026-40867
|
2026-04-23 06:05 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1102
|
- |
|
-
|
-
|
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the admin dashboard's Autodiscover logs render the EMailAddress value (logged as the "user"…
|
CWE-79
CWE-80
Cross-site Scripting
Basic XSS
|
CVE-2026-40872
|
2026-04-23 06:02 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1103
|
- |
|
-
|
-
|
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the Quarantine details modal injects attachment filenames into HTML without escaping, allow…
|
CWE-79
CWE-80
Cross-site Scripting
Basic XSS
|
CVE-2026-40873
|
2026-04-23 06:02 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1104
|
7.2 |
HIGH
Network
|
-
|
-
|
mailcow: dockerized is an open source groupware/email suite based on docker. Versions prior to 2026-03b have a second-order SQL injection vulnerability in the quarantine_category field via the Mailco…
|
CWE-20
CWE-89
CWE-116
CWE-564
Improper Input Validation
SQL Injection
Improper Encoding or Escaping of Output
SQL Injection: Hibernate
|
CVE-2026-40871
|
2026-04-23 06:02 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1105
|
- |
|
-
|
-
|
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, no administrator verification takes place when deleting Forwarding Hosts with `/api/v1/dele…
|
CWE-284
Improper Access Control
|
CVE-2026-40874
|
2026-04-23 06:02 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1106
|
- |
|
-
|
-
|
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the user dashboard's "Seen successful connections" (login history) renders the client IP fr…
|
CWE-79
CWE-80
Cross-site Scripting
Basic XSS
|
CVE-2026-40875
|
2026-04-23 06:02 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1107
|
- |
|
-
|
-
|
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the mailcow web interface passes the raw `$_SERVER['REQUEST_URI']` to Twig as a global temp…
|
CWE-79
Cross-site Scripting
|
CVE-2026-40878
|
2026-04-23 06:02 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1108
|
- |
|
-
|
-
|
Oxia is a metadata store and coordination system. Prior to 0.16.2, a race condition between session heartbeat processing and session closure can cause the server to panic with send on closed channel.…
|
CWE-362
Race Condition
|
CVE-2026-40943
|
2026-04-23 05:28 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1109
|
- |
|
-
|
-
|
Oxia is a metadata store and coordination system. Prior to 0.16.2, the trustedCertPool() function in the TLS configuration only parses the first PEM block from CA certificate files. When a CA bundle …
|
CWE-295
Improper Certificate Validation
|
CVE-2026-40944
|
2026-04-23 05:28 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1110
|
- |
|
-
|
-
|
Oxia is a metadata store and coordination system. Prior to 0.16.2, when OIDC authentication fails, the full bearer token is logged at DEBUG level in plaintext. If debug logging is enabled in producti…
|
CWE-532
Inclusion of Sensitive Information in Log Files
|
CVE-2026-40945
|
2026-04-23 05:28 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
