|
3541
|
9.9 |
CRITICAL
Network
|
-
|
-
|
A critical XSS vulnerability affected hackage-server and
hackage.haskell.org. HTML and JavaScript files provided in source
packages or via the documentation upload facility were served
as-is on the …
|
CWE-79
Cross-site Scripting
|
CVE-2026-40470
|
2026-04-24 23:41 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3542
|
9.6 |
CRITICAL
Network
|
-
|
-
|
hackage-server lacked Cross-Site Request Forgery (CSRF) protection across its endpoints. Scripts on foreign sites could trigger requests to hackage server, possibly abusing latent credentials to uplo…
|
CWE-352
Origin Validation Error
|
CVE-2026-40471
|
2026-04-24 23:41 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3543
|
9.9 |
CRITICAL
Network
|
-
|
-
|
In hackage-server, user-controlled metadata from .cabal files are rendered into HTML
href attributes without proper sanitization, enabling stored
Cross-Site Scripting (XSS) attacks.
|
CWE-79
Cross-site Scripting
|
CVE-2026-40472
|
2026-04-24 23:41 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3544
|
- |
|
-
|
-
|
TP-Link TL-WR841N v13 uses DES-CBC encryption in the TDDPv2 debug protocol with a cryptographic key derived from default web management credentials, making the key predictable if device is left in de…
|
CWE-1394
Use of Default Cryptographic Key
|
CVE-2026-5039
|
2026-04-24 23:41 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3545
|
8.0 |
HIGH
Network
|
dnnsoftware
|
dotnetnuke
|
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.2.2, a user could upload a specially crafted SVG file that could incl…
|
CWE-87
Improper Neutralization of Alternate XSS Syntax
|
CVE-2026-40321
|
2026-04-24 23:41 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3546
|
3.7 |
LOW
Network
|
-
|
-
|
A request smuggling vulnerability exists in libsoup's HTTP/1 header parsing logic. The soup_message_headers_append_common() function in libsoup/soup-message-headers.c unconditionally appends each hea…
|
CWE-444
HTTP Request Smuggling
|
CVE-2026-2708
|
2026-04-24 23:41 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3547
|
9.3 |
CRITICAL
Network
|
-
|
-
|
Server-side request forgery (ssrf) in Microsoft Dynamics 365 (Online) allows an unauthorized attacker to perform spoofing over a network.
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-32210
|
2026-04-24 23:41 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3548
|
10.0 |
CRITICAL
Network
|
-
|
-
|
Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network.
|
CWE-502
Deserialization of Untrusted Data
|
CVE-2026-33819
|
2026-04-24 23:41 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3549
|
8.1 |
HIGH
Network
|
-
|
-
|
OpenClaw before 2026.3.22 contains an access control bypass vulnerability in the allowProfiles feature that allows attackers to circumvent profile restrictions through persistent profile mutation and…
|
CWE-472
External Control of Assumed-Immutable Web Parameter
|
CVE-2026-41353
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3550
|
3.7 |
LOW
Network
|
-
|
-
|
OpenClaw before 2026.4.2 contains an insufficient scope vulnerability in Zalo webhook replay dedupe keys that allows legitimate events from different conversations or senders to collide. Attackers ca…
|
CWE-706
Use of Incorrectly-Resolved Name or Reference
|
CVE-2026-41354
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
