|
391
|
8.8 |
HIGH
Network
|
-
|
-
|
Paperclip is a Node.js server and React UI that orchestrates a team of AI agents to run a business. Versions of @paperclipai/server prior to 2026.416.0 contain a privilege escalation vulnerability th…
New
|
CWE-78
OS Command
|
CVE-2026-41208
|
2026-04-24 23:50 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
392
|
- |
|
-
|
-
|
OpenLearn is open-source educational forum software. Prior to commit 844b2a40a69d0c4911580fe501923f0b391313ab, when `safeMode` is enabled, unapproved forum posts are hidden from the public list, but …
New
|
CWE-284
Improper Access Control
|
CVE-2026-41243
|
2026-04-24 23:50 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
393
|
10.0 |
CRITICAL
Network
|
-
|
-
|
Paperclip is a Node.js server and React UI that orchestrates a team of AI agents to run a business. Prior to version 2026.416.0, an unauthenticated attacker can achieve full remote code execution on …
New
|
CWE-287
CWE-862
CWE-1188
Improper Authentication
Missing Authorization
Insecure Default Initialization of Resource
|
CVE-2026-41679
|
2026-04-24 23:50 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
394
|
5.4 |
MEDIUM
Network
|
-
|
-
|
Successful exploitation of the stored cross-site scripting (XSS) vulnerability could allow an attacker to execute arbitrary JavaScript on any user account that has access to Koollab LMS’ courselet fe…
New
|
-
|
CVE-2026-3007
|
2026-04-24 23:50 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
395
|
7.5 |
HIGH
Network
|
-
|
-
|
Froxlor is open source server administration software. Prior to version 2.3.6, `DataDump.add()` constructs the export destination path from user-supplied input without passing the `$fixed_homedir` pa…
New
|
CWE-59
Link Following
|
CVE-2026-41231
|
2026-04-24 23:50 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
396
|
9.9 |
CRITICAL
Network
|
-
|
-
|
Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint `Customers.update` (and `Admins.update`) does not validate the `def_language` parameter against…
New
|
CWE-98
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
|
CVE-2026-41228
|
2026-04-24 23:50 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
397
|
9.1 |
CRITICAL
Network
|
-
|
-
|
Froxlor is open source server administration software. Prior to version 2.3.6, `PhpHelper::parseArrayToString()` writes string values into single-quoted PHP string literals without escaping single qu…
New
|
CWE-94
Code Injection
|
CVE-2026-41229
|
2026-04-24 23:50 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
398
|
8.5 |
HIGH
Network
|
-
|
-
|
Froxlor is open source server administration software. Prior to version 2.3.6, `DomainZones::add()` accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in …
New
|
CWE-93
CRLF Injection
|
CVE-2026-41230
|
2026-04-24 23:50 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
399
|
5.0 |
MEDIUM
Network
|
-
|
-
|
Froxlor is open source server administration software. Prior to version 2.3.6, in `EmailSender::add()`, the domain ownership validation for full email sender aliases uses the wrong array index when s…
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-41232
|
2026-04-24 23:50 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
400
|
5.4 |
MEDIUM
Network
|
-
|
-
|
Froxlor is open source server administration software. Prior to version 2.3.6, in `Domains.add()`, the `adminid` parameter is accepted from user input and used without validation when the calling res…
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-41233
|
2026-04-24 23:50 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
