|
361
|
6.5 |
MEDIUM
Network
|
-
|
-
|
LINE client for iOS versions prior to 26.3.0 contains a vulnerability in the in-app browser where opening a crafted web page can repeatedly trigger OS-level dialogs, potentially causing the iOS devic…
New
|
CWE-451
User Interface (UI) Misrepresentation of Critical Information
|
CVE-2026-3861
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
362
|
6.2 |
MEDIUM
Local
|
-
|
-
|
In ONLYOFFICE DesktopEditors before 9.3.0, the update service allows attackers to perform actions on files with SYSTEM privileges.
New
|
CWE-669
Incorrect Resource Transfer Between Spheres
|
CVE-2026-41030
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
363
|
5.0 |
MEDIUM
Network
|
-
|
-
|
ONLYOFFICE DocumentServer before 9.3.0 has an untrusted pointer dereference in XLS processing/conversion (via pictFmla.cbBufInCtlStm and other vectors), leading to an information leak and ASLR bypass.
New
|
CWE-125
Out-of-bounds Read
|
CVE-2026-41034
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
364
|
7.4 |
HIGH
Network
|
-
|
-
|
In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, …
New
|
CWE-130
Improper Handling of Length Parameter Inconsistency
|
CVE-2026-41035
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
365
|
7.5 |
HIGH
Network
|
-
|
-
|
The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious actors to craft…
New
|
CWE-611
XXE
|
CVE-2024-2374
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
366
|
6.1 |
MEDIUM
Network
|
-
|
-
|
The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response. This allows an attacker to inject malicious script payloads into the input para…
New
|
CWE-79
Cross-site Scripting
|
CVE-2024-10242
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
367
|
5.4 |
MEDIUM
Network
|
-
|
-
|
The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding. This deficiency allows a malicious actor to inject scrip…
New
|
CWE-79
Cross-site Scripting
|
CVE-2024-4867
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
368
|
3.5 |
LOW
Adjacent
|
-
|
-
|
The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external e…
New
|
CWE-611
XXE
|
CVE-2024-8010
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
369
|
6.1 |
MEDIUM
Network
|
-
|
-
|
The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection.
An attacker can leverage this by injecting malicious scripts into t…
New
|
CWE-79
Cross-site Scripting
|
CVE-2025-6024
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
370
|
6.0 |
MEDIUM
Network
|
-
|
-
|
Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously issued, valid tokens to remain usab…
New
|
CWE-613
Insufficient Session Expiration
|
CVE-2025-12624
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
