|
4091
|
10.0 |
CRITICAL
Network
|
wwbn
|
avideo
|
WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies to every connected client without saniti…
|
CWE-94
Code Injection
|
CVE-2026-40911
|
2026-04-28 00:12 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4092
|
9.8 |
CRITICAL
Network
|
roxy-wi
|
roxy-wi
|
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 8.2.6.4 have a SQL injection vulnerability in the haproxy_section_save function in app/routes/…
|
CWE-89
SQL Injection
|
CVE-2026-33078
|
2026-04-28 00:10 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4093
|
9.9 |
CRITICAL
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.31 contains a sandbox bypass vulnerability allowing attackers to escalate privileges via heartbeat context inheritance and senderIsOwner parameter manipulation. Attackers can e…
|
CWE-648
Incorrect Use of Privileged APIs
|
CVE-2026-41329
|
2026-04-28 00:09 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4094
|
7.2 |
HIGH
Network
|
espocrm
|
espocrm
|
EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, the admin template management endpoints accept attacker-controlled `name` and `scope` values and pass t…
|
CWE-23
Relative Path Traversal
|
CVE-2026-33733
|
2026-04-28 00:08 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4095
|
4.4 |
MEDIUM
Local
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.31 contains an environment variable override vulnerability in host exec policy that fails to properly enforce proxy, TLS, Docker, and Git TLS controls. Attackers can bypass sec…
|
CWE-453
Insecure Default Variable Initialization
|
CVE-2026-41330
|
2026-04-28 00:08 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4096
|
5.3 |
MEDIUM
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.31 contains a resource consumption vulnerability in Telegram audio preflight transcription that allows unauthorized group senders to trigger transcription processing. Attackers…
|
CWE-408
Incorrect Behavior Order: Early Amplification
|
CVE-2026-41331
|
2026-04-28 00:08 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4097
|
4.8 |
MEDIUM
Network
|
gfi
|
helpdesk
|
GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the template group creation and editing functionality that allows authenticated administrators to inject arbitrary J…
|
CWE-79
Cross-site Scripting
|
CVE-2026-23752
|
2026-04-28 00:07 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4098
|
8.6 |
HIGH
Local
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.28 loads the current working directory .env file before trusted state-dir configuration, allowing environment variable injection. Attackers can place a malicious .env file in a…
|
CWE-15
External Control of System or Configuration Setting
|
CVE-2026-41294
|
2026-04-28 00:07 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4099
|
4.8 |
MEDIUM
Network
|
gfi
|
helpdesk
|
GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the language management functionality where the charset POST parameter is passed directly to SWIFT_Language::Create(…
|
CWE-79
Cross-site Scripting
|
CVE-2026-23753
|
2026-04-28 00:07 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4100
|
7.5 |
HIGH
Network
|
gomarkdown
|
markdown
|
The package `github.com/gomarkdown/markdown` is a Go library for parsing Markdown text and rendering as HTML. Processing a malformed input containing a < character that is not followed by a > charact…
|
CWE-125
Out-of-bounds Read
|
CVE-2026-40890
|
2026-04-28 00:07 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
