|
461
|
4.8 |
MEDIUM
Network
|
gfi
|
helpdesk
|
GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the language management functionality where the charset POST parameter is passed directly to SWIFT_Language::Create(…
Update
|
CWE-79
Cross-site Scripting
|
CVE-2026-23753
|
2026-04-28 00:07 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
462
|
7.5 |
HIGH
Network
|
gomarkdown
|
markdown
|
The package `github.com/gomarkdown/markdown` is a Go library for parsing Markdown text and rendering as HTML. Processing a malformed input containing a < character that is not followed by a > charact…
Update
|
CWE-125
Out-of-bounds Read
|
CVE-2026-40890
|
2026-04-28 00:07 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
463
|
7.8 |
HIGH
Local
|
openclaw
|
openclaw
|
OpenClaw before 2026.4.2 contains an improper trust boundary vulnerability allowing untrusted workspace channel shadows to execute during built-in channel setup and login. Attackers can clone a works…
Update
|
CWE-829
Inclusion of Functionality from Untrusted Control Sphere
|
CVE-2026-41295
|
2026-04-28 00:06 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
464
|
8.2 |
HIGH
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.31 contains a time-of-check-time-of-use race condition in the remote filesystem bridge readFile function that allows sandbox escape. Attackers can exploit the separate path val…
Update
|
CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
|
CVE-2026-41296
|
2026-04-28 00:06 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
465
|
7.6 |
HIGH
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability in the marketplace plugin download functionality that allows attackers to access internal resources by following unvalid…
Update
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-41297
|
2026-04-28 00:05 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
466
|
7.5 |
HIGH
Network
|
roxy-wi
|
roxy-wi
|
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the oldconfig parameter in the haproxy_section_save interface has an arbitrary file re…
Update
|
CWE-22
Path Traversal
|
CVE-2026-33077
|
2026-04-28 00:04 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
467
|
9.8 |
CRITICAL
Network
|
roxy-wi
|
roxy-wi
|
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the haproxy_section_save interface presents a vulnerability that could lead to remote …
Update
|
CWE-22
Path Traversal
|
CVE-2026-33076
|
2026-04-28 00:03 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
468
|
5.4 |
MEDIUM
Network
|
gfi
|
helpdesk
|
GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the Troubleshooter module where the subject POST parameter is not sanitized in Controller_Step.InsertSubmit() and Ed…
Update
|
CWE-79
Cross-site Scripting
|
CVE-2026-23756
|
2026-04-28 00:02 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
469
|
8.8 |
HIGH
Network
|
actualbudget
|
actual
|
Actual is a local-first personal finance tool. Prior to version 26.4.0, any authenticated user (including `BASIC` role) can escalate to `ADMIN` on servers migrated from password authentication to Ope…
Update
|
CWE-284
CWE-862
Improper Access Control
Missing Authorization
|
CVE-2026-33318
|
2026-04-28 00:01 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
470
|
5.4 |
MEDIUM
Network
|
gfi
|
helpdesk
|
GFI HelpDesk before 4.99.10 contains a stored cross-site scripting vulnerability in the Reports module where the title parameter is passed directly to SWIFT_Report::Create() without HTML sanitization…
Update
|
CWE-79
Cross-site Scripting
|
CVE-2026-23757
|
2026-04-27 23:59 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
