|
2741
|
6.3 |
MEDIUM
Network
|
-
|
-
|
/cgi-bin/time.cgi in Atlona AT-OME-MS42 Matrix Switcher 1.1.2 allow remote authenticated users to execute arbitrary commands as root via a POST request that carries a serverName parameter.
|
CWE-77
Command Injection
|
CVE-2024-30167
|
2026-05-9 01:02 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2742
|
7.3 |
HIGH
Network
|
-
|
-
|
An issue was discovered in Control Web Panel (CWP) before 0.9.8.1209. User input passed via the "key" GET parameter to /admin/index.php (when the "api" parameter is set) is not properly sanitized bef…
|
CWE-78
OS Command
|
CVE-2025-67888
|
2026-05-9 01:02 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2743
|
7.5 |
HIGH
Network
|
coredns.io
|
coredns
|
CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the tsig plugin can be bypassed on non-plain-DNS transports (DoT, DoH, DoH3, DoQ, and gRPC) because it trusts the transport w…
|
CWE-303
Incorrect Implementation of Authentication Algorithm
|
CVE-2026-33190
|
2026-05-9 01:01 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2744
|
7.5 |
HIGH
Network
|
coredns.io
|
coredns
|
CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the transfer plugin can select the wrong ACL stanza when both a parent zone and a more-specific subzone are configured. The l…
|
CWE-863
Incorrect Authorization
|
CVE-2026-33489
|
2026-05-9 01:00 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2745
|
9.8 |
CRITICAL
Network
|
coredns.io
|
coredns
|
CoreDNS is a DNS server written in Go. In versions prior to 1.14.3, the gRPC, QUIC, DoH, and DoH3 transport implementations incorrectly handle TSIG authentication. For gRPC and QUIC, the server check…
|
CWE-287
Improper Authentication
|
CVE-2026-35579
|
2026-05-9 00:58 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2746
|
6.1 |
MEDIUM
Network
|
-
|
-
|
A Cross Site Scripting vulnerability in Alkacon OpenCms before 10.5.1 exists via cmis-online/type.
|
CWE-79
Cross-site Scripting
|
CVE-2023-42343
|
2026-05-9 00:58 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2747
|
7.3 |
HIGH
Network
|
-
|
-
|
Alkacon OpenCms before 10.5.1 allows remote unauthenticated attackers to obtain sensitive information via a cmis-online/query XXE attack on a Chemistry servlet.
|
CWE-611
XXE
|
CVE-2023-42344
|
2026-05-9 00:58 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2748
|
6.1 |
MEDIUM
Network
|
-
|
-
|
A Cross Site Scripting vulnerability in Alkacon OpenCms before 16 exists via updateModelGroups.jsp.
|
CWE-79
Cross-site Scripting
|
CVE-2023-42345
|
2026-05-9 00:58 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2749
|
8.7 |
HIGH
Network
|
-
|
-
|
Brave CMS is an open-source CMS. Prior to commit 6c56603, page and article body content entered through the CKEditor rich-text editor is stored verbatim in the database and subsequently rendered with…
|
CWE-79
Cross-site Scripting
|
CVE-2026-41524
|
2026-05-9 00:58 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2750
|
7.1 |
HIGH
Network
|
-
|
-
|
Brave CMS is an open-source CMS. Prior to commit 6c56603, the contact form is publicly accessible (no authentication required). User-supplied message text is passed through PHP's nl2br() function, wh…
|
CWE-79
Cross-site Scripting
|
CVE-2026-41576
|
2026-05-9 00:58 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
