|
371
|
9.8 |
CRITICAL
Network
|
-
|
-
|
An issue in Ntfy ntfy.sh before v.2.21 allows a remote attacker to execute arbitrary code via the parseActions function
New
|
CWE-94
Code Injection
|
CVE-2026-39087
|
2026-04-24 23:41 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
372
|
9.9 |
CRITICAL
Network
|
-
|
-
|
A critical XSS vulnerability affected hackage-server and
hackage.haskell.org. HTML and JavaScript files provided in source
packages or via the documentation upload facility were served
as-is on the …
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-40470
|
2026-04-24 23:41 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
373
|
9.6 |
CRITICAL
Network
|
-
|
-
|
hackage-server lacked Cross-Site Request Forgery (CSRF) protection across its endpoints. Scripts on foreign sites could trigger requests to hackage server, possibly abusing latent credentials to uplo…
New
|
CWE-352
Origin Validation Error
|
CVE-2026-40471
|
2026-04-24 23:41 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
374
|
9.9 |
CRITICAL
Network
|
-
|
-
|
In hackage-server, user-controlled metadata from .cabal files are rendered into HTML
href attributes without proper sanitization, enabling stored
Cross-Site Scripting (XSS) attacks.
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-40472
|
2026-04-24 23:41 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
375
|
- |
|
-
|
-
|
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions prior to 3.4.0 have an inconsistency between FORBID_TAGS and FORBID_ATTR handling when function-based ADD_TA…
New
|
CWE-79
CWE-183
Cross-site Scripting
Permissive List of Allowed Inputs
|
CVE-2026-41240
|
2026-04-24 23:41 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
376
|
9.8 |
CRITICAL
Network
|
-
|
-
|
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunMinAlive parameter to /cgi-bin/cstecgi.cgi.
New
|
CWE-78
OS Command
|
CVE-2026-31177
|
2026-04-24 23:41 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
377
|
9.8 |
CRITICAL
Network
|
-
|
-
|
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunMaxAlive parameter to /cgi-bin/cstecgi.cgi.
New
|
CWE-78
OS Command
|
CVE-2026-31178
|
2026-04-24 23:41 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
378
|
6.5 |
MEDIUM
Network
|
-
|
-
|
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunPort parameter to /cgi-bin/cstecgi.cgi.
New
|
CWE-77
Command Injection
|
CVE-2026-31179
|
2026-04-24 23:41 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
379
|
9.8 |
CRITICAL
Network
|
-
|
-
|
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunServerAddr parameter to /cgi-bin/cstecgi.cgi.
New
|
CWE-78
OS Command
|
CVE-2026-31181
|
2026-04-24 23:41 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
380
|
5.3 |
MEDIUM
Adjacent
|
-
|
-
|
OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry over gRPC using the OpenTelemetry Protocol (OTLP), the exporter may parse a server-provide…
New
|
CWE-789
Memory Allocation with Excessive Size Value
|
CVE-2026-40891
|
2026-04-24 23:41 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
