|
601
|
6.2 |
MEDIUM
Local
|
-
|
-
|
In ONLYOFFICE DesktopEditors before 9.3.0, the update service allows attackers to perform actions on files with SYSTEM privileges.
|
CWE-669
Incorrect Resource Transfer Between Spheres
|
CVE-2026-41030
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
602
|
5.0 |
MEDIUM
Network
|
-
|
-
|
ONLYOFFICE DocumentServer before 9.3.0 has an untrusted pointer dereference in XLS processing/conversion (via pictFmla.cbBufInCtlStm and other vectors), leading to an information leak and ASLR bypass.
|
CWE-125
Out-of-bounds Read
|
CVE-2026-41034
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
603
|
7.4 |
HIGH
Network
|
-
|
-
|
In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, …
|
CWE-130
Improper Handling of Length Parameter Inconsistency
|
CVE-2026-41035
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
604
|
6.1 |
MEDIUM
Network
|
-
|
-
|
The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response. This allows an attacker to inject malicious script payloads into the input para…
|
CWE-79
Cross-site Scripting
|
CVE-2024-10242
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
605
|
5.4 |
MEDIUM
Network
|
-
|
-
|
The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding. This deficiency allows a malicious actor to inject scrip…
|
CWE-79
Cross-site Scripting
|
CVE-2024-4867
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
606
|
3.5 |
LOW
Adjacent
|
-
|
-
|
The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external e…
|
CWE-611
XXE
|
CVE-2024-8010
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
607
|
7.5 |
HIGH
Network
|
-
|
-
|
The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious actors to craft…
|
CWE-611
XXE
|
CVE-2024-2374
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
608
|
6.1 |
MEDIUM
Network
|
-
|
-
|
The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection.
An attacker can leverage this by injecting malicious scripts into t…
|
CWE-79
Cross-site Scripting
|
CVE-2025-6024
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
609
|
6.0 |
MEDIUM
Network
|
-
|
-
|
Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously issued, valid tokens to remain usab…
|
CWE-613
Insufficient Session Expiration
|
CVE-2025-12624
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
610
|
9.8 |
CRITICAL
Network
|
-
|
-
|
The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment…
|
CWE-284
Improper Access Control
|
CVE-2026-31843
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
