|
471
|
7.8 |
HIGH
Local
|
-
|
-
|
A flaw was found in the X.Org X server. This use-after-free vulnerability occurs in the XSYNC fence triggering logic, specifically within the miSyncTriggerFence() function. An attacker with access to…
New
|
CWE-825
Expired Pointer Dereference
|
CVE-2026-34001
|
2026-04-24 23:41 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
472
|
7.8 |
HIGH
Local
|
-
|
-
|
A flaw was found in the X.Org X server's XKB key types request validation. A local attacker could send a specially crafted request to the X server, leading to an out-of-bounds memory access vulnerabi…
New
|
CWE-125
Out-of-bounds Read
|
CVE-2026-34003
|
2026-04-24 23:41 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
473
|
9.8 |
CRITICAL
Network
|
-
|
-
|
An issue in Ntfy ntfy.sh before v.2.21 allows a remote attacker to execute arbitrary code via the parseActions function
New
|
CWE-94
Code Injection
|
CVE-2026-39087
|
2026-04-24 23:41 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
474
|
9.9 |
CRITICAL
Network
|
-
|
-
|
A critical XSS vulnerability affected hackage-server and
hackage.haskell.org. HTML and JavaScript files provided in source
packages or via the documentation upload facility were served
as-is on the …
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-40470
|
2026-04-24 23:41 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
475
|
9.6 |
CRITICAL
Network
|
-
|
-
|
hackage-server lacked Cross-Site Request Forgery (CSRF) protection across its endpoints. Scripts on foreign sites could trigger requests to hackage server, possibly abusing latent credentials to uplo…
New
|
CWE-352
Origin Validation Error
|
CVE-2026-40471
|
2026-04-24 23:41 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
476
|
9.9 |
CRITICAL
Network
|
-
|
-
|
In hackage-server, user-controlled metadata from .cabal files are rendered into HTML
href attributes without proper sanitization, enabling stored
Cross-Site Scripting (XSS) attacks.
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-40472
|
2026-04-24 23:41 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
477
|
- |
|
-
|
-
|
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions prior to 3.4.0 have an inconsistency between FORBID_TAGS and FORBID_ATTR handling when function-based ADD_TA…
New
|
CWE-79
CWE-183
Cross-site Scripting
Permissive List of Allowed Inputs
|
CVE-2026-41240
|
2026-04-24 23:41 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
478
|
9.8 |
CRITICAL
Network
|
-
|
-
|
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunMinAlive parameter to /cgi-bin/cstecgi.cgi.
New
|
CWE-78
OS Command
|
CVE-2026-31177
|
2026-04-24 23:41 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
479
|
9.8 |
CRITICAL
Network
|
-
|
-
|
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunMaxAlive parameter to /cgi-bin/cstecgi.cgi.
New
|
CWE-78
OS Command
|
CVE-2026-31178
|
2026-04-24 23:41 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
480
|
6.5 |
MEDIUM
Network
|
-
|
-
|
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunPort parameter to /cgi-bin/cstecgi.cgi.
New
|
CWE-77
Command Injection
|
CVE-2026-31179
|
2026-04-24 23:41 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
