|
1161
|
7.5 |
HIGH
Network
|
powerdns
|
authoritative
dnsdist
recursor
|
An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.
|
CWE-770
Allocation of Resources Without Limits or Throttling
|
CVE-2026-33260
|
2026-04-28 02:03 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1162
|
5.9 |
MEDIUM
Network
|
powerdns
|
recursor
|
A zone transition from NSEC to NSEC3 might trigger an internal inconsistency and cause a denial of service.
|
CWE-353
Missing Support for Integrity Check
|
CVE-2026-33261
|
2026-04-28 02:03 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1163
|
5.9 |
MEDIUM
Network
|
powerdns
|
recursor
|
An attacker can send replies that result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service. Cookies are disabled by default.
|
CWE-476
NULL Pointer Dereference
|
CVE-2026-33262
|
2026-04-28 02:02 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1164
|
5.0 |
MEDIUM
Network
|
froxlor
|
froxlor
|
Froxlor is open source server administration software. Prior to version 2.3.6, in `EmailSender::add()`, the domain ownership validation for full email sender aliases uses the wrong array index when s…
|
CWE-863
Incorrect Authorization
|
CVE-2026-41232
|
2026-04-28 02:02 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1165
|
7.5 |
HIGH
Network
|
froxlor
|
froxlor
|
Froxlor is open source server administration software. Prior to version 2.3.6, `DataDump.add()` constructs the export destination path from user-supplied input without passing the `$fixed_homedir` pa…
|
CWE-59
Link Following
|
CVE-2026-41231
|
2026-04-28 02:01 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1166
|
8.5 |
HIGH
Network
|
froxlor
|
froxlor
|
Froxlor is open source server administration software. Prior to version 2.3.6, `DomainZones::add()` accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in …
|
CWE-93
CRLF Injection
|
CVE-2026-41230
|
2026-04-28 02:01 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1167
|
9.1 |
CRITICAL
Network
|
froxlor
|
froxlor
|
Froxlor is open source server administration software. Prior to version 2.3.6, `PhpHelper::parseArrayToString()` writes string values into single-quoted PHP string literals without escaping single qu…
|
CWE-94
Code Injection
|
CVE-2026-41229
|
2026-04-28 02:00 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1168
|
9.9 |
CRITICAL
Network
|
froxlor
|
froxlor
|
Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint `Customers.update` (and `Admins.update`) does not validate the `def_language` parameter against…
|
CWE-98
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
|
CVE-2026-41228
|
2026-04-28 02:00 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1169
|
4.9 |
MEDIUM
Network
|
powerdns
|
recursor
|
An RPZ sent by a malicious authoritative server can result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service.
|
CWE-476
NULL Pointer Dereference
|
CVE-2026-33600
|
2026-04-28 01:59 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1170
|
5.4 |
MEDIUM
Network
|
froxlor
|
froxlor
|
Froxlor is open source server administration software. Prior to version 2.3.6, in `Domains.add()`, the `adminid` parameter is accepted from user input and used without validation when the calling res…
|
CWE-863
Incorrect Authorization
|
CVE-2026-41233
|
2026-04-28 01:59 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
