|
3241
|
9.9 |
CRITICAL
Network
|
-
|
-
|
In hackage-server, user-controlled metadata from .cabal files are rendered into HTML
href attributes without proper sanitization, enabling stored
Cross-Site Scripting (XSS) attacks.
|
CWE-79
Cross-site Scripting
|
CVE-2026-40472
|
2026-04-24 23:41 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3242
|
- |
|
-
|
-
|
TP-Link TL-WR841N v13 uses DES-CBC encryption in the TDDPv2 debug protocol with a cryptographic key derived from default web management credentials, making the key predictable if device is left in de…
|
CWE-1394
Use of Default Cryptographic Key
|
CVE-2026-5039
|
2026-04-24 23:41 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3243
|
8.0 |
HIGH
Network
|
dnnsoftware
|
dotnetnuke
|
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.2.2, a user could upload a specially crafted SVG file that could incl…
|
CWE-87
Improper Neutralization of Alternate XSS Syntax
|
CVE-2026-40321
|
2026-04-24 23:41 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3244
|
3.7 |
LOW
Network
|
-
|
-
|
A request smuggling vulnerability exists in libsoup's HTTP/1 header parsing logic. The soup_message_headers_append_common() function in libsoup/soup-message-headers.c unconditionally appends each hea…
|
CWE-444
HTTP Request Smuggling
|
CVE-2026-2708
|
2026-04-24 23:41 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3245
|
9.3 |
CRITICAL
Network
|
-
|
-
|
Server-side request forgery (ssrf) in Microsoft Dynamics 365 (Online) allows an unauthorized attacker to perform spoofing over a network.
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-32210
|
2026-04-24 23:41 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3246
|
10.0 |
CRITICAL
Network
|
-
|
-
|
Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network.
|
CWE-502
Deserialization of Untrusted Data
|
CVE-2026-33819
|
2026-04-24 23:41 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3247
|
8.1 |
HIGH
Network
|
-
|
-
|
OpenClaw before 2026.3.22 contains an access control bypass vulnerability in the allowProfiles feature that allows attackers to circumvent profile restrictions through persistent profile mutation and…
|
CWE-472
External Control of Assumed-Immutable Web Parameter
|
CVE-2026-41353
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3248
|
3.7 |
LOW
Network
|
-
|
-
|
OpenClaw before 2026.4.2 contains an insufficient scope vulnerability in Zalo webhook replay dedupe keys that allows legitimate events from different conversations or senders to collide. Attackers ca…
|
CWE-706
Use of Incorrectly-Resolved Name or Reference
|
CVE-2026-41354
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3249
|
7.3 |
HIGH
Local
|
-
|
-
|
OpenShell before 2026.3.28 contains an arbitrary code execution vulnerability in mirror mode that converts untrusted sandbox files into workspace hooks. Attackers with mirror mode access can execute …
|
CWE-829
Inclusion of Functionality from Untrusted Control Sphere
|
CVE-2026-41355
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3250
|
5.4 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.4.2 fails to filter Slack thread context by sender allowlist, allowing non-allowlisted messages to enter agent context. Attackers can inject unauthorized thread messages through …
|
CWE-346
Origin Validation Error
|
CVE-2026-41358
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
