5.4

CVSS3.1

CVE-2026-41233 - Froxlor has a Reseller Domain Quota Bypass via Unvalidated adminid Parameter in Domains.add()

Froxlor is open source server administration software. Prior to version 2.3.6, in `Domains.add()`, the `adminid` parameter is accepted from user input and used without validation when the calling reseller does not have the `customers_see_all` permission. This allows a reseller to attribute newly cr…

📅 Published: April 23, 2026, 4 a.m. 🔄 Last Modified: April 23, 2026, 4 a.m.

5

CVSS3.1

CVE-2026-41232 - Froxlor has an Email Sender Alias Domain Ownership Bypass via Wrong Array Index that Allows Cross-C…

Froxlor is open source server administration software. Prior to version 2.3.6, in `EmailSender::add()`, the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to `validateLocalDomainOwne…

📅 Published: April 23, 2026, 3:54 a.m. 🔄 Last Modified: April 23, 2026, 3:54 a.m.

7.5

CVSS3.1

CVE-2026-41231 - Froxlor has Incomplete Symlink Validation in DataDump.add() that Allows Arbitrary Directory Ownersh…

Froxlor is open source server administration software. Prior to version 2.3.6, `DataDump.add()` constructs the export destination path from user-supplied input without passing the `$fixed_homedir` parameter to `FileDir::makeCorrectDir()`, bypassing the symlink validation that was added to all other…

📅 Published: April 23, 2026, 3:52 a.m. 🔄 Last Modified: April 23, 2026, 3:52 a.m.

8.5

CVSS3.1

CVE-2026-41230 - Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add()

Froxlor is open source server administration software. Prior to version 2.3.6, `DomainZones::add()` accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the `content` field. When a DNS type not covered by the if/elseif validation chain is submitted (e.g…

📅 Published: April 23, 2026, 3:47 a.m. 🔄 Last Modified: April 23, 2026, 3:47 a.m.

9.1

CVSS3.1

CVE-2026-41229 - Froxlor has a PHP Code Injection via Unescaped Single Quotes in userdata.inc.php Generation (MysqlS…

Froxlor is open source server administration software. Prior to version 2.3.6, `PhpHelper::parseArrayToString()` writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with `change_serversettings` permission adds or updates a MySQL server via the A…

📅 Published: April 23, 2026, 3:44 a.m. 🔄 Last Modified: April 23, 2026, 3:44 a.m.

10

CVSS3.1

CVE-2026-41228 - Froxlor has Local File Inclusion via path traversal in API `def_language` parameter that leads to R…

Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint `Customers.update` (and `Admins.update`) does not validate the `def_language` parameter against the list of available language files. An authenticated customer can set `def_language` to a path tr…

📅 Published: April 23, 2026, 3:41 a.m. 🔄 Last Modified: April 23, 2026, 3:41 a.m.

6.4

CVSS3.1

CVE-2026-3361 - WP Store Locator <= 2.2.261 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpsl_ad…

The WP Store Locator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpsl_address' post meta value in versions up to, and including, 2.2.261 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-le…

📅 Published: April 23, 2026, 3:26 a.m. 🔄 Last Modified: April 23, 2026, 3:26 a.m.

5.4

CVSS3.1

CVE-2026-3007 - Stored Cross-Site Scripting (XSS) Vulnerability

Successful exploitation of the stored cross-site scripting (XSS) vulnerability could allow an attacker to execute arbitrary JavaScript on any user account that has access to Koollab LMS’ courselet feature.

📅 Published: April 23, 2026, 2:54 a.m. 🔄 Last Modified: April 23, 2026, 2:54 a.m.

9.8

CVSS3.1

CVE-2026-3844 - Breeze Cache <= 2.4.4 - Unauthenticated Arbitrary File Upload via fetch_gravatar_from_remote

The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fetch_gravatar_from_remote' function in all versions up to, and including, 2.4.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected …

📅 Published: April 23, 2026, 2:25 a.m. 🔄 Last Modified: April 23, 2026, 2:25 a.m.

5.4

CVSS3.1

CVE-2026-2951 - Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor <= 3.5.5 - Authenticated (Contribut…

The Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contribu…

📅 Published: April 23, 2026, 2:25 a.m. 🔄 Last Modified: April 23, 2026, 2:25 a.m.
Total resulsts: 346087
Page 2 of 34,609
« previous page » next page
Filters