CVEs

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, FreeScout's linkify() function in app/Misc/Helper.php converts plain-text URLs in email bodies into HTML anchor tags without escaping double-quote characters (") in the URL. HTMLPurifier (called first via getCleanBody()) preserves literal " characters in text nodes. linkify() then wraps URLs including those " chars inside an unescaped href="..." attribute, breaking out of the href and injecting arbitrary HTML attributes. Version 1.8.213 fixes the issue.

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, an unauthenticated attacker can access diagnostic and system tools that should be restricted to administrators. The /system/cron endpoint relies on a static MD5 hash derived from the APP_KEY, which is exposed in the response and logs. Accessing these endpoints reveals sensitive server information (Full Path Disclosure), process IDs, and allows for Resource Exhaustion (DoS) by triggering heavy background tasks repeatedly without any rate limiting. The cron hash is generated using md5(APP_KEY . 'web_cron_hash'). Since this hash is often transmitted via GET requests, it is susceptible to exposure in server logs, browser history, and proxy logs. Furthermore, the lack of rate limiting on these endpoints allows for automated resource exhaustion (DoS) and brute-force attempts. Version 1.8.213 fixes the issue.

Visitor Management System 1.0 by sanjay1313 is vulnerable to Unrestricted File Upload in vms/php/admin_user_insert.php and vms/php/update_1.php. The move_uploaded_file() function is called without any MIME type, extension, or content validation, allowing an authenticated admin to upload a PHP webshell and achieve Remote Code Execution on the server.

SQL injection vulnerability in Zeon Academy Pro by Zeon Global Tech. This vulnerability allows an attacker to retrieve, create, update, and delete databases by sending a POST request using the parameter 'phonenumber' in '/private/continue-upload.php'.

HTML injection vulnerability in PHP Point of Sale v19.4. This vulnerability allows an attacker to render HTML in the victim's browser due to a lack of proper validation of user input by sending a request to '/reports/generate/specific_customer', ussing 'start_date_formatted' y 'end_date_formatted' parameters.

Net::Dropbear versions before 0.14 for Perl contains a vulnerable version of libtomcrypt. Net::Dropbear versions before 0.14 includes versions of Dropbear 2019.78 or earlier. These include versions of libtomcrypt v1.18.1 or earlier, which is affected by CVE-2016-6129 and CVE-2018-12437.

Storable versions before 3.05 for Perl has a stack overflow. The retrieve_hook function stored the length of the class name into a signed integer but in read operations treated the length as unsigned. This allowed an attacker to craft data that could trigger the overflow.

Vulnerability related to an unquoted search path in CivetWeb v1.16. This vulnerability allows a local attacker to execute arbitrary code with elevated privileges by placing a malicious executable in a directory that is scanned before the intended application path (C:\Program Files\CivetWeb\CivetWeb.exe --), due to the absence of quotes in the service configuration.

The method "sock_recvfrom_into()" of "asyncio.ProacterEventLoop" (Windows only) was missing a boundary check for the data buffer when using nbytes parameter. This allowed for an out-of-bounds buffer write if data was larger than the buffer size. Non-Windows platforms are not affected.

In the Website module of Dolibarr ERP & CRM 22.0.4 and below, the application uses blacklist-based filtering to restrict dangerous PHP functions related to system command execution. An authenticated user with permission to edit PHP content can bypass this filtering, resulting in full remote code execution with the ability to execute arbitrary operating system commands on the server.

In Dolibarr ERP & CRM <= 22.0.4, PHP code detection and editing permission enforcement in the Website module is not applied consistently to all input parameters, allowing an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected inputs during website page creation.

Dovestones Softwares AD Self Update <4.0.0.5 is vulnerable to Cross Site Request Forgery (CSRF). The affected endpoint processes state-changing requests without requiring a CSRF token or equivalent protection. The endpoint accepts application/x-www-form-urlencoded requests, and an originally POST-based request can be converted to a GET request while still successfully updating user details. This allows an attacker to craft a malicious request that, when visited by an authenticated user, can modify user account information without their consent.

Dovestones Softwares ADPhonebook <4.0.1.1 has a reflected cross-site scripting (XSS) vulnerability in the search parameter of the /ADPhonebook?Department=HR endpoint. User-supplied input is reflected in the HTTP response without proper input validation or output encoding, allowing execution of arbitrary JavaScript in the victim's browser.

XiangShan (open-source high-performance RISC-V processor) commit edb1dfaf7d290ae99724594507dc46c2c2125384 (2024-11-28) has improper gating of its distributed CSR write-enable path, allowing illegal CSR write attempts to alter custom PMA (Physical Memory Attribute) CSR state. Though the RISC-V privileged specification requires an illegal-instruction exception for non-existent/illegal CSR accesses, affected XiangShan versions may still propagate such writes to replicated PMA configuration state. Local attackers able to execute code on the core (privilege context depends on system integration) can exploit this to tamper with memory-attribute enforcement, potentially leading to privilege escalation, information disclosure, or denial of service depending on how PMA enforces platform security and isolation boundaries.

User‑Controlled HTTP Header in Fortra's GoAnywhere MFT prior to version 7.10.0 allows attackers to trigger a DNS lookup, as well as DNS Rebinding and Information Disclosure.

The login limit is not enforced on the SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User attempting to be logged in to is configured to log in with an SSH Key, making the SSH key vulnerable to being guessed via Brute Force.

An improper session timeout issue in Fortra's GoAnywhere MFT prior to version 7.10.0 results in SAML configured Web Users being redirected to the regular login page instead of the SAML login page.

HCL BigFix Service Management (SM) Discovery is vulnerable to unenforced encryption due to port 80 (HTTP) being open, allowing unencrypted access. An attacker with access to the network traffic can sniff packets from the connection and uncover the data.

HCL BigFix Service Management is susceptible to HTTP Request Smuggling. HTTP request smuggling vulnerabilities arise when websites route HTTP requests through web servers with inconsistent HTTP parsing. HTTP Smuggling exploits inconsistencies in request parsing between front-end and back-end servers, allowing attackers to bypass security controls and perform attacks like cache poisoning or request hijacking.

The login limit is not enforced on the SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User attempting to be logged in to is configured to log in with an SSH Key, making the SSH key vulnerable to being guessed via Brute Force.

Encrypted values in Fortra's GoAnywhere MFT prior to version 7.10.0 and GoAnywhere Agents prior to version 2.2.0 utilize a static IV which allows admin users to brute-force decryption of data.

Cross-Site Scripting (XSS) vulnerability reflected in Semantic MediaWiki. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL using the '/index.php/Speciaal:GefacetteerdZoeken' endpoint parameter. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.

Memory safety bugs present in Firefox 149 and Thunderbird 149. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.

Incorrect boundary conditions, integer overflow in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150.

Information disclosure in the IP Protection component. This vulnerability was fixed in Firefox 150.

Denial-of-service in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150.

Denial-of-service in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150.

Other issue in the JavaScript Engine component. This vulnerability was fixed in Firefox 150.

Invalid pointer in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150.

Other issue in the Networking: DNS component. This vulnerability was fixed in Firefox 150.

Incorrect boundary conditions in the WebRTC: Networking component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.

Incorrect boundary conditions in the WebRTC component. This vulnerability was fixed in Firefox 150.

Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 150.

Denial-of-service due to integer overflow in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 150.

Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, and Firefox ESR 140.10.

Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.

Other issue in the Storage: IndexedDB component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.

Privilege escalation in the Debugger component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.

Mitigation bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 150.

Other issue in the Libraries component in NSS. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, and Firefox ESR 140.10.

Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.

Information disclosure in the Form Autofill component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.

Incorrect boundary conditions in the DOM: Device Interfaces component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.

Mitigation bypass in the File Handling component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.

Spoofing issue in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, and Firefox ESR 140.10.

Privilege escalation in the Networking component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.

Mitigation bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 150.

Use-after-free in the Widget: Cocoa component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.

Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150.

Invalid pointer in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.

Memory safety bugs present in Firefox 149 and Thunderbird 149. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.

Updated: 2026-04-21

Incorrect boundary conditions, integer overflow in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150.

Updated: 2026-04-21

Information disclosure in the IP Protection component. This vulnerability was fixed in Firefox 150.

Updated: 2026-04-21

Denial-of-service in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150.

Updated: 2026-04-21

Denial-of-service in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150.

Updated: 2026-04-21

Other issue in the JavaScript Engine component. This vulnerability was fixed in Firefox 150.

Updated: 2026-04-21

Invalid pointer in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150.

Updated: 2026-04-21

Other issue in the Networking: DNS component. This vulnerability was fixed in Firefox 150.

Updated: 2026-04-21

Incorrect boundary conditions in the WebRTC: Networking component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.

Updated: 2026-04-21

Incorrect boundary conditions in the WebRTC component. This vulnerability was fixed in Firefox 150.

Updated: 2026-04-21

Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 150.

Updated: 2026-04-21

Denial-of-service due to integer overflow in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 150.

Updated: 2026-04-21

Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, and Firefox ESR 140.10.

Updated: 2026-04-21

Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.

Updated: 2026-04-21

Other issue in the Storage: IndexedDB component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.

Updated: 2026-04-21

Privilege escalation in the Debugger component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.

Updated: 2026-04-21

Mitigation bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 150.

Updated: 2026-04-21

Other issue in the Libraries component in NSS. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, and Firefox ESR 140.10.

Updated: 2026-04-21

Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.

Updated: 2026-04-21

Information disclosure in the Form Autofill component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.

Updated: 2026-04-21

Incorrect boundary conditions in the DOM: Device Interfaces component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.

Updated: 2026-04-21

Mitigation bypass in the File Handling component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.

Updated: 2026-04-21

Spoofing issue in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, and Firefox ESR 140.10.

Updated: 2026-04-21

Privilege escalation in the Networking component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.

Updated: 2026-04-21

Mitigation bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 150.

Updated: 2026-04-21

Use-after-free in the Widget: Cocoa component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.

Updated: 2026-04-21

Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150.

Updated: 2026-04-21

Invalid pointer in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.

Updated: 2026-04-21

Mitigation bypass in Firefox for Android. This vulnerability was fixed in Firefox 150.

Updated: 2026-04-21

Mitigation bypass in the DOM: postMessage component. This vulnerability was fixed in Firefox 150.

Updated: 2026-04-21

Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, and Firefox ESR 140.10.

Updated: 2026-04-21

Incorrect boundary conditions in the WebRTC component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.

Updated: 2026-04-21

Incorrect boundary conditions in the WebRTC component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, and Firefox ESR 140.10.

Updated: 2026-04-21

Uninitialized memory in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.

Updated: 2026-04-21

Privilege escalation in the Graphics: WebRender component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, and Firefox ESR 140.10.

Updated: 2026-04-21

Information disclosure due to uninitialized memory in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, and Firefox ESR 140.10.

Updated: 2026-04-21

Uninitialized memory in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.

Updated: 2026-04-21

Use-after-free in the WebRTC component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.

Updated: 2026-04-21

Use-after-free in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, and Firefox ESR 140.10.

Updated: 2026-04-21

HKUDS OpenHarness prior to PR #159 remediation contains a session key derivation vulnerability that allows authenticated participants in shared chats or threads to hijack other users' sessions by exploiting a shared ohmo session key that lacks sender identity verification. Attackers can reuse another user's conversation state and replace or interrupt their active tasks by colliding into the same session boundary through the shared chat or thread scope.

Updated: 2026-04-21

The Website LLMs.txt plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 8.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Updated: 2026-04-21

The Website LLMs.txt plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 8.2.6. This is due to the use of filter_input() without a sanitization filter and insufficient output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link.

Updated: 2026-04-21

The Responsive Blocks – Page Builder for Blocks & Patterns plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.2.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to modify global site-wide plugin configuration options, including toggling custom CSS, disabling blocks, changing layout defaults such as content width, container padding, and container gap, and altering auto-block-recovery behavior.

Updated: 2026-04-21

The Responsive Blocks – Page Builder for Blocks & Patterns plugin for WordPress is vulnerable to Unauthenticated Open Email Relay in all versions up to, and including, 2.2.0. This is due to insufficient authorization checks and missing server-side validation of the recipient email address supplied via a public REST API route. This makes it possible for unauthenticated attackers to send arbitrary emails to any recipient of their choosing through the affected WordPress site's mail server, effectively turning the site into an open mail relay.

Updated: 2026-04-21

The Plugin: CMS für Motorrad Werkstätten plugin for WordPress is vulnerable to SQL Injection via the 'arttype' parameter in all versions up to, and including, 1.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Updated: 2026-04-21

Changing backend users' passwords via the user settings module results in storing the cleartext password in the uc and user_settings fields of the be_users database table. This issue affects TYPO3 CMS version 14.2.0.

Updated: 2026-04-21

Cryptographic algorithm downgrade in the caching layer of Amazon AWS Encryption SDK for Python before version 3.3.1 and before version 4.0.5 might allow an authenticated local threat actor to bypass key commitment policy enforcement via a shared key cache, resulting in ciphertext that can be decrypted to multiple different plaintexts. To remediate this issue, users should upgrade to version 3.3.1, 4.0.5 or above.

Updated: 2026-04-21

Vvveb CMS v1.0.8 contains a remote code execution vulnerability in its media management functionality where a missing return statement in the file rename handler allows authenticated attackers to rename files to blocked extensions .php or .htaccess. Attackers can exploit this logic flaw by first uploading a text file and renaming it to .htaccess to inject Apache directives that register PHP-executable MIME types, then uploading another file and renaming it to .php to execute arbitrary operating system commands as the www-data user.

Updated: 2026-04-21

Vvveb CMS 1.0.8 contains a remote code execution vulnerability in its media upload handler that allows authenticated attackers to execute arbitrary operating system commands by uploading a PHP webshell with a .phtml extension. Attackers can bypass the extension deny-list and upload malicious files to the publicly accessible media directory, then request the file over HTTP to achieve full server compromise.

Updated: 2026-04-21

A vulnerability in the SQL Box in the admin interface of OTRS leads to an uncontrolled resource consumption leading to a DoS against the webserver. will be killed by the systemThis issue affects OTRS: * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.3.X

Updated: 2026-04-21