|
381
|
7.5 |
HIGH
Network
|
-
|
-
|
The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious actors to craft…
Update
|
CWE-611
XXE
|
CVE-2024-2374
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
382
|
6.1 |
MEDIUM
Network
|
-
|
-
|
The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response. This allows an attacker to inject malicious script payloads into the input para…
Update
|
CWE-79
Cross-site Scripting
|
CVE-2024-10242
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
383
|
5.4 |
MEDIUM
Network
|
-
|
-
|
The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding. This deficiency allows a malicious actor to inject scrip…
Update
|
CWE-79
Cross-site Scripting
|
CVE-2024-4867
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
384
|
3.5 |
LOW
Adjacent
|
-
|
-
|
The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external e…
Update
|
CWE-611
XXE
|
CVE-2024-8010
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
385
|
6.1 |
MEDIUM
Network
|
-
|
-
|
The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection.
An attacker can leverage this by injecting malicious scripts into t…
Update
|
CWE-79
Cross-site Scripting
|
CVE-2025-6024
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
386
|
6.0 |
MEDIUM
Network
|
-
|
-
|
Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously issued, valid tokens to remain usab…
Update
|
CWE-613
Insufficient Session Expiration
|
CVE-2025-12624
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
387
|
9.8 |
CRITICAL
Network
|
-
|
-
|
The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment…
Update
|
CWE-284
Improper Access Control
|
CVE-2026-31843
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
388
|
7.1 |
HIGH
Network
|
-
|
-
|
An issue in the Forgot Password feature of Daylight Studio FuelCMS v1.5.2 allows unauthenticated attackers to obtain the password reset token of a victim user via a crafted link placed in a valid e-m…
Update
|
CWE-640
Weak Password Recovery Mechanism for Forgotten Password
|
CVE-2026-30459
|
2026-04-18 00:38 |
2026-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
389
|
7.5 |
HIGH
Network
|
-
|
-
|
A NULL pointer dereference vulnerability exists in fio (Flexible I/O Tester) v3.41 when parsing job files containing the fdp_pli option. The callback function str_fdp_pli_cb() does not validate the i…
Update
|
CWE-476
NULL Pointer Dereference
|
CVE-2026-30656
|
2026-04-18 00:38 |
2026-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
390
|
5.3 |
MEDIUM
Network
|
-
|
-
|
The Silverstripe Assets Module is a required component of Silverstripe Framework. In versions prior to 2.4.5 and 3.0.0-rc1 through 3.1.2, images rendered in templates or otherwise accessed via DBFile…
Update
|
CWE-863
Incorrect Authorization
|
CVE-2026-24749
|
2026-04-18 00:38 |
2026-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
