|
2671
|
9.8 |
CRITICAL
Network
|
roxy-wi
|
roxy-wi
|
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 8.2.6.4 have a SQL injection vulnerability in the haproxy_section_save function in app/routes/…
|
CWE-89
SQL Injection
|
CVE-2026-33078
|
2026-04-28 00:10 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2672
|
9.9 |
CRITICAL
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.31 contains a sandbox bypass vulnerability allowing attackers to escalate privileges via heartbeat context inheritance and senderIsOwner parameter manipulation. Attackers can e…
|
CWE-648
Incorrect Use of Privileged APIs
|
CVE-2026-41329
|
2026-04-28 00:09 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2673
|
7.2 |
HIGH
Network
|
espocrm
|
espocrm
|
EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, the admin template management endpoints accept attacker-controlled `name` and `scope` values and pass t…
|
CWE-23
Relative Path Traversal
|
CVE-2026-33733
|
2026-04-28 00:08 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2674
|
4.4 |
MEDIUM
Local
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.31 contains an environment variable override vulnerability in host exec policy that fails to properly enforce proxy, TLS, Docker, and Git TLS controls. Attackers can bypass sec…
|
CWE-453
Insecure Default Variable Initialization
|
CVE-2026-41330
|
2026-04-28 00:08 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2675
|
5.3 |
MEDIUM
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.31 contains a resource consumption vulnerability in Telegram audio preflight transcription that allows unauthorized group senders to trigger transcription processing. Attackers…
|
CWE-408
Incorrect Behavior Order: Early Amplification
|
CVE-2026-41331
|
2026-04-28 00:08 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2676
|
4.8 |
MEDIUM
Network
|
gfi
|
helpdesk
|
GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the template group creation and editing functionality that allows authenticated administrators to inject arbitrary J…
|
CWE-79
Cross-site Scripting
|
CVE-2026-23752
|
2026-04-28 00:07 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2677
|
8.6 |
HIGH
Local
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.28 loads the current working directory .env file before trusted state-dir configuration, allowing environment variable injection. Attackers can place a malicious .env file in a…
|
CWE-15
External Control of System or Configuration Setting
|
CVE-2026-41294
|
2026-04-28 00:07 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2678
|
4.8 |
MEDIUM
Network
|
gfi
|
helpdesk
|
GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the language management functionality where the charset POST parameter is passed directly to SWIFT_Language::Create(…
|
CWE-79
Cross-site Scripting
|
CVE-2026-23753
|
2026-04-28 00:07 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2679
|
7.5 |
HIGH
Network
|
gomarkdown
|
markdown
|
The package `github.com/gomarkdown/markdown` is a Go library for parsing Markdown text and rendering as HTML. Processing a malformed input containing a < character that is not followed by a > charact…
|
CWE-125
Out-of-bounds Read
|
CVE-2026-40890
|
2026-04-28 00:07 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2680
|
7.8 |
HIGH
Local
|
openclaw
|
openclaw
|
OpenClaw before 2026.4.2 contains an improper trust boundary vulnerability allowing untrusted workspace channel shadows to execute during built-in channel setup and login. Attackers can clone a works…
|
CWE-829
Inclusion of Functionality from Untrusted Control Sphere
|
CVE-2026-41295
|
2026-04-28 00:06 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
