|
31
|
8.8 |
HIGH
Network
|
dell
|
powerprotect_dp_series_appliance
data_domain_operating_system
|
Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.1…
Update
|
CWE-295
Improper Certificate Validation
|
CVE-2026-23776
|
2026-04-21 03:17 |
2026-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
32
|
7.2 |
HIGH
Network
|
dell
|
powerprotect_dp_series_appliance
data_domain_operating_system
|
Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.1…
Update
|
CWE-77
Command Injection
|
CVE-2026-23778
|
2026-04-21 03:17 |
2026-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
33
|
5.8 |
MEDIUM
Network
|
-
|
-
|
OpenClaw versions 2026.4.7 before 2026.4.15 fail to enforce local-root containment on tool-result media paths, allowing arbitrary local and UNC file access. Attackers can craft malicious tool-result …
New
|
CWE-73
External Control of File Name or Path
|
CVE-2026-41389
|
2026-04-21 03:16 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
34
|
7.8 |
HIGH
Local
|
-
|
-
|
Insecure Permissions vulnerability in DeepCool DeepCreative v.1.2.7 and before allows a local attacker to execute arbitrary code via a crafted file
New
|
CWE-277
Insecure Inherited Permissions
|
CVE-2026-30266
|
2026-04-21 03:16 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
35
|
6.6 |
MEDIUM
Local
|
-
|
-
|
python-dotenv reads key-value pairs from a .env file and can set them as environment variables. Prior to version 1.2.2, `set_key()` and `unset_key()` in python-dotenv follow symbolic links when rewri…
New
|
CWE-59
CWE-61
Link Following
UNIX Symbolic Link (Symlink) Following
|
CVE-2026-28684
|
2026-04-21 03:16 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
36
|
- |
|
-
|
-
|
A stack-use-after-return issue exists in the Arduino_Core_STM32 library prior to version 1.7.0. The pwm_start() function allocates a TIM_HandleTypeDef structure on the stack and passes its address to…
New
|
-
|
CVE-2026-26399
|
2026-04-21 03:16 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
37
|
- |
|
-
|
-
|
GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the ticket subject field that allows authenticated staff members to inject malicious JavaScript by manipulating the …
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-23758
|
2026-04-21 03:16 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
38
|
5.4 |
MEDIUM
Network
|
-
|
-
|
GFI HelpDesk before 4.99.10 contains a stored cross-site scripting vulnerability in the Reports module where the title parameter is passed directly to SWIFT_Report::Create() without HTML sanitization…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-23757
|
2026-04-21 03:16 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
39
|
5.4 |
MEDIUM
Network
|
-
|
-
|
GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the Troubleshooter module where the subject POST parameter is not sanitized in Controller_Step.InsertSubmit() and Ed…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-23756
|
2026-04-21 03:16 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
40
|
4.8 |
MEDIUM
Network
|
-
|
-
|
GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the language management functionality where the charset POST parameter is passed directly to SWIFT_Language::Create(…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-23753
|
2026-04-21 03:16 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
