|
131
|
3.5 |
LOW
Adjacent
|
-
|
-
|
The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external e…
New
|
CWE-611
XXE
|
CVE-2024-8010
|
2026-04-16 19:16 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
132
|
5.4 |
MEDIUM
Network
|
-
|
-
|
The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding. This deficiency allows a malicious actor to inject scrip…
New
|
CWE-79
Cross-site Scripting
|
CVE-2024-4867
|
2026-04-16 19:16 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
133
|
6.1 |
MEDIUM
Network
|
-
|
-
|
The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response. This allows an attacker to inject malicious script payloads into the input para…
New
|
CWE-79
Cross-site Scripting
|
CVE-2024-10242
|
2026-04-16 19:16 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
134
|
7.3 |
HIGH
Local
|
-
|
-
|
Dell Storage Manager - Replay Manager for Microsoft Servers, version(s) 8.0, contain(s) an Improper Privilege Management vulnerability. A low privileged attacker with local access could potentially e…
New
|
CWE-269
Improper Privilege Management
|
CVE-2026-23772
|
2026-04-16 18:16 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
135
|
7.5 |
HIGH
Network
|
-
|
-
|
The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious actors to craft…
New
|
CWE-611
XXE
|
CVE-2024-2374
|
2026-04-16 18:16 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
136
|
5.3 |
MEDIUM
Network
|
-
|
-
|
The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ultp_shareCo…
New
|
CWE-862
Missing Authorization
|
CVE-2026-0718
|
2026-04-16 17:16 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
137
|
8.8 |
HIGH
Network
|
-
|
-
|
The Career Section plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Path Traversal and Arbitrary File Deletion in all versions up to, and including, 1.6. This is due to mis…
New
|
CWE-22
Path Traversal
|
CVE-2025-14868
|
2026-04-16 17:16 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
138
|
7.4 |
HIGH
Network
|
-
|
-
|
In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, …
New
|
CWE-130
Improper Handling of Length Parameter Inconsistency
|
CVE-2026-41035
|
2026-04-16 16:16 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
139
|
5.0 |
MEDIUM
Network
|
-
|
-
|
ONLYOFFICE DocumentServer before 9.3.0 has an untrusted pointer dereference in XLS processing/conversion (via pictFmla.cbBufInCtlStm and other vectors), leading to an information leak and ASLR bypass.
New
|
CWE-125
Out-of-bounds Read
|
CVE-2026-41034
|
2026-04-16 16:16 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
140
|
6.2 |
MEDIUM
Local
|
-
|
-
|
In ONLYOFFICE DesktopEditors before 9.3.0, the update service allows attackers to perform actions on files with SYSTEM privileges.
New
|
CWE-669
Incorrect Resource Transfer Between Spheres
|
CVE-2026-41030
|
2026-04-16 16:16 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
