|
1231
|
4.8 |
MEDIUM
Network
|
gfi
|
helpdesk
|
GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the template group creation and editing functionality that allows authenticated administrators to inject arbitrary J…
|
CWE-79
Cross-site Scripting
|
CVE-2026-23752
|
2026-04-28 00:07 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1232
|
8.6 |
HIGH
Local
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.28 loads the current working directory .env file before trusted state-dir configuration, allowing environment variable injection. Attackers can place a malicious .env file in a…
|
CWE-15
External Control of System or Configuration Setting
|
CVE-2026-41294
|
2026-04-28 00:07 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1233
|
4.8 |
MEDIUM
Network
|
gfi
|
helpdesk
|
GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the language management functionality where the charset POST parameter is passed directly to SWIFT_Language::Create(…
|
CWE-79
Cross-site Scripting
|
CVE-2026-23753
|
2026-04-28 00:07 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1234
|
7.5 |
HIGH
Network
|
gomarkdown
|
markdown
|
The package `github.com/gomarkdown/markdown` is a Go library for parsing Markdown text and rendering as HTML. Processing a malformed input containing a < character that is not followed by a > charact…
|
CWE-125
Out-of-bounds Read
|
CVE-2026-40890
|
2026-04-28 00:07 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1235
|
7.8 |
HIGH
Local
|
openclaw
|
openclaw
|
OpenClaw before 2026.4.2 contains an improper trust boundary vulnerability allowing untrusted workspace channel shadows to execute during built-in channel setup and login. Attackers can clone a works…
|
CWE-829
Inclusion of Functionality from Untrusted Control Sphere
|
CVE-2026-41295
|
2026-04-28 00:06 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1236
|
8.2 |
HIGH
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.31 contains a time-of-check-time-of-use race condition in the remote filesystem bridge readFile function that allows sandbox escape. Attackers can exploit the separate path val…
|
CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
|
CVE-2026-41296
|
2026-04-28 00:06 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1237
|
7.6 |
HIGH
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability in the marketplace plugin download functionality that allows attackers to access internal resources by following unvalid…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-41297
|
2026-04-28 00:05 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1238
|
7.5 |
HIGH
Network
|
roxy-wi
|
roxy-wi
|
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the oldconfig parameter in the haproxy_section_save interface has an arbitrary file re…
|
CWE-22
Path Traversal
|
CVE-2026-33077
|
2026-04-28 00:04 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1239
|
9.8 |
CRITICAL
Network
|
roxy-wi
|
roxy-wi
|
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the haproxy_section_save interface presents a vulnerability that could lead to remote …
|
CWE-22
Path Traversal
|
CVE-2026-33076
|
2026-04-28 00:03 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1240
|
5.4 |
MEDIUM
Network
|
gfi
|
helpdesk
|
GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the Troubleshooter module where the subject POST parameter is not sanitized in Controller_Step.InsertSubmit() and Ed…
|
CWE-79
Cross-site Scripting
|
CVE-2026-23756
|
2026-04-28 00:02 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
