|
971
|
8.5 |
HIGH
Network
|
froxlor
|
froxlor
|
Froxlor is open source server administration software. Prior to version 2.3.6, `DomainZones::add()` accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in …
Update
|
CWE-93
CRLF Injection
|
CVE-2026-41230
|
2026-04-28 02:01 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
972
|
9.1 |
CRITICAL
Network
|
froxlor
|
froxlor
|
Froxlor is open source server administration software. Prior to version 2.3.6, `PhpHelper::parseArrayToString()` writes string values into single-quoted PHP string literals without escaping single qu…
Update
|
CWE-94
Code Injection
|
CVE-2026-41229
|
2026-04-28 02:00 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
973
|
9.9 |
CRITICAL
Network
|
froxlor
|
froxlor
|
Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint `Customers.update` (and `Admins.update`) does not validate the `def_language` parameter against…
Update
|
CWE-98
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
|
CVE-2026-41228
|
2026-04-28 02:00 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
974
|
4.9 |
MEDIUM
Network
|
powerdns
|
recursor
|
An RPZ sent by a malicious authoritative server can result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service.
Update
|
CWE-476
NULL Pointer Dereference
|
CVE-2026-33600
|
2026-04-28 01:59 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
975
|
5.4 |
MEDIUM
Network
|
froxlor
|
froxlor
|
Froxlor is open source server administration software. Prior to version 2.3.6, in `Domains.add()`, the `adminid` parameter is accepted from user input and used without validation when the calling res…
Update
|
CWE-863
Incorrect Authorization
|
CVE-2026-41233
|
2026-04-28 01:59 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
976
|
4.9 |
MEDIUM
Network
|
powerdns
|
recursor
|
If you use the zoneToCache function with a malicious authoritative server, an attacker can send a zone that result in a null pointer dereference, caused by a missing consistency check and leading to …
Update
|
CWE-476
NULL Pointer Dereference
|
CVE-2026-33601
|
2026-04-28 01:58 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
977
|
7.5 |
HIGH
Network
|
powerdns
|
dnsdist
|
An attacker can create a large number of concurrent DoQ or DoH3 connections, causing unlimited memory allocation in DNSdist and leading to a denial of service. DOQ and DoH3 are disabled by default.
Update
|
CWE-770
Allocation of Resources Without Limits or Throttling
|
CVE-2026-33254
|
2026-04-28 01:58 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
978
|
5.3 |
MEDIUM
Network
|
openclaw
|
openclaw
|
OpenClaw versions 2026.3.22 before 2026.3.31 contain a signature verification bypass vulnerability in the Nostr DM ingress path that allows pairing challenges to be issued before event signature vali…
Update
|
CWE-347
Improper Verification of Cryptographic Signature
|
CVE-2026-41301
|
2026-04-28 01:56 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
979
|
6.5 |
MEDIUM
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.31 contains a trust-decline vulnerability that preserves attacker-discovered endpoints in remote onboarding flows. Attackers can route gateway credentials to malicious endpoint…
Update
|
CWE-372
Incomplete Internal State Distinction
|
CVE-2026-41300
|
2026-04-28 01:56 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
980
|
7.1 |
HIGH
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in the chat.send gateway method where ACP-only provenance fields are gated by self-declared client metadata from WebSocket han…
Update
|
CWE-807
Reliance on Untrusted Inputs in a Security Decision
|
CVE-2026-41299
|
2026-04-28 01:56 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
