CVE-2026-42613 Grav: Privilege Escalation via Missing Server-Side Validation of groups/access

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, the Login::register method in the Login plugin accepts attacker-controlled groups and access fields from the registration POST data without server-side validation. When registration is enabled and groups or access are included in the...

CVE-2026-40590 FreeScout's Customer AJAX Create Modifies Hidden Existing Customer

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the Change Customer modal exposes a “Create a new customer” flow via POST /customers/ajax with action=create. Under limited visibility, the endpoint drops unique-email validation. If the supplied email already...

FreeScout 安全漏洞

FreeScout is a lightweight and powerful free open-source help desk and shared inbox built using PHP Laravel framework by FreeScout Inc. Versions of FreeScout prior to 1.8.214 contained security vulnerabilities. These vulnerabilities stemmed from the phone conversation creation process, which...

FreeScout 安全漏洞

FreeScout is a lightweight and powerful free open-source help desk and shared inbox built using PHP Laravel framework by FreeScout Inc. Versions of FreeScout prior to 1.8.214 contained security vulnerabilities. These vulnerabilities stemmed from the fact that, under limited visibility, the...

CVE-2026-33573

OpenClaw (prior to 2026.3.11) suffers an authorization bypass in the gateway agent RPC. Authenticated operators with operator.write permission can override workspace boundaries by supplying attacker-controlled spawnedBy and workspaceDir values, enabling escape from the configured workspace and ex...

CVE-2026-33061

Jexactyl is a customisable game management panel and billing system. Commits after 025e8dbb0daaa04054276bda814d922cf4af58da and before e28edb204e80efab628d1241198ea4f079779cfd inject server-side objects into client-side JavaScript through resources/views/templates/wrapper.blade.php. Using unescap...

CVE-2026-33061

CVE-2026-33061 affects Jexactyl (previously named Exactyl), a configurable game management panel and billing system. The issue arises from injecting server-side objects into client-side JavaScript via resources/views/templates/wrapper.blade.php, where unescaped {!! json_encode(...) !!} is used wi...

PT-2026-26205

Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.14 and 6.7.0, low-privileged Control Panel users could create taxonomy terms by submitting requests to the field action processing endpoint with attacker-controlled field definitions. This bypasses the...

UBUNTU-CVE-2019-13917

Exim 4.85 through 4.92 fixed in 4.92.1 allows remote code execution as root in some unusual configurations that use the $sort expansion for items that can be controlled by an attacker e.g., $localpart or $domain...