|
451
|
9.8 |
CRITICAL
Network
|
-
|
-
|
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len()
After this commit (e2b76ab8b5c9 "ksmbd: add supp…
Update
|
-
|
CVE-2026-31478
|
2026-04-28 00:16 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
452
|
8.8 |
HIGH
Network
|
paperclip
|
paperclipai
|
Paperclip is a Node.js server and React UI that orchestrates a team of AI agents to run a business. Versions of @paperclipai/server prior to 2026.416.0 contain a privilege escalation vulnerability th…
Update
|
CWE-78
OS Command
|
CVE-2026-41208
|
2026-04-28 00:14 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
453
|
10.0 |
CRITICAL
Network
|
wwbn
|
avideo
|
WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies to every connected client without saniti…
Update
|
CWE-94
Code Injection
|
CVE-2026-40911
|
2026-04-28 00:12 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
454
|
9.8 |
CRITICAL
Network
|
roxy-wi
|
roxy-wi
|
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 8.2.6.4 have a SQL injection vulnerability in the haproxy_section_save function in app/routes/…
Update
|
CWE-89
SQL Injection
|
CVE-2026-33078
|
2026-04-28 00:10 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
455
|
9.9 |
CRITICAL
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.31 contains a sandbox bypass vulnerability allowing attackers to escalate privileges via heartbeat context inheritance and senderIsOwner parameter manipulation. Attackers can e…
Update
|
CWE-648
Incorrect Use of Privileged APIs
|
CVE-2026-41329
|
2026-04-28 00:09 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
456
|
7.2 |
HIGH
Network
|
espocrm
|
espocrm
|
EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, the admin template management endpoints accept attacker-controlled `name` and `scope` values and pass t…
Update
|
CWE-23
Relative Path Traversal
|
CVE-2026-33733
|
2026-04-28 00:08 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
457
|
4.4 |
MEDIUM
Local
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.31 contains an environment variable override vulnerability in host exec policy that fails to properly enforce proxy, TLS, Docker, and Git TLS controls. Attackers can bypass sec…
Update
|
CWE-453
Insecure Default Variable Initialization
|
CVE-2026-41330
|
2026-04-28 00:08 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
458
|
5.3 |
MEDIUM
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.31 contains a resource consumption vulnerability in Telegram audio preflight transcription that allows unauthorized group senders to trigger transcription processing. Attackers…
Update
|
CWE-408
|
CVE-2026-41331
|
2026-04-28 00:08 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
459
|
4.8 |
MEDIUM
Network
|
gfi
|
helpdesk
|
GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the template group creation and editing functionality that allows authenticated administrators to inject arbitrary J…
Update
|
CWE-79
Cross-site Scripting
|
CVE-2026-23752
|
2026-04-28 00:07 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
460
|
8.6 |
HIGH
Local
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.28 loads the current working directory .env file before trusted state-dir configuration, allowing environment variable injection. Attackers can place a malicious .env file in a…
Update
|
CWE-15
External Control of System or Configuration Setting
|
CVE-2026-41294
|
2026-04-28 00:07 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
