PT-2026-40947

Open OnDemand is an open-source high-performance computing portal. Prior to 4.0.11, 4.1.5, and 4.2.2, specially crafted filenames can execute javascript in the file browser This vulnerability is fixed in 4.0.11, 4.1.5, and 4.2.2...

WEBCON BPS 跨站脚本漏洞

WEBCON BPS is a low-code business process management and workflow automation platform developed by the Polish company WEBCON. Versions of WEBCON BPS prior to 2026.1.3.109 and 2025.2.1.293 contained a cross-site scripting vulnerability. This vulnerability stemmed from reflective cross-site scripti...

PT-2026-40849

The Envira Gallery Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in versions up to and including 1.12.4. This is due to insufficient input sanitization in the update gallery data function and improper output escaping in the gallery init function. The...

RHEL 9 : firefox (RHSA-2026:17688)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:17688 advisory. Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. Security Fixes: firefox:...

Amazon Linux 2 : thunderbird, --advisory ALAS2-2026-3290 (ALAS-2026-3290)

The version of thunderbird installed on the remote host is prior to 140.10.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3290 advisory. Double-Free / Use-After-Free UAF in the IntoIter::drop and ThinVec::clear functions in the thinvec crate. A panic i...

PT-2026-40878

Name of the Vulnerable Software and Affected Versions GitLab EE versions 16.4 through 18.9.6 GitLab EE versions 18.10 through 18.10.5 GitLab EE versions 18.11 through 18.11.2 Description Improper input sanitization allows an authenticated user with developer-role permissions to execute arbitrary...

PT-2026-40852

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 15.11 through 18.9.6 GitLab CE/EE versions 18.10 through 18.10.5 GitLab CE/EE versions 18.11 through 18.11.2 Description An issue exists where improper input sanitization allows an authenticated user to inject HTML and...

Important: thunderbird

Issue Overview: Double-Free / Use-After-Free UAF in the IntoIter::drop and ThinVec::clear functions in the thinvec crate. A panic in ptr::dropinplace skips setting the length to zero. CVE-2026-6654 Use-after-free in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150,...

RHEL 10 : firefox (RHSA-2026:17690)

The remote Redhat Enterprise Linux 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2026:17690 advisory. Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. Security Fixes: firefox:...

RHEL 8 : firefox (RHSA-2026:17477)

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2026:17477 advisory. Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. Security Fixes: firefox:...

VulnCheck KEV: CVE-2026-47100

Funnel Builder for WooCommerce Checkout prior to 3.15.0.3 contains a missing authorization vulnerability in the public checkout endpoint that allows unauthenticated attackers to invoke internal methods and write arbitrary data to the plugin's External Scripts global setting. Attackers can inject...

PT-2026-41069

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 148.0.7778.168 Description A type confusion issue in V8 allows a remote attacker to execute arbitrary code within a sandbox by using a specially crafted HTML page. Type confusion occurs when a program accesses a...

CVE-2026-44369

CVAT is an open source interactive video and image annotation tool for computer vision. From 2.5.0 to 2.63.0, an attacker who is able to create or edit an annotation guide on a task is able to add malicious JavaScript code, which will then run in the browser of anyone who opens this annotation...

CVE-2026-44369

CVAT is an open source interactive video and image annotation tool for computer vision. From 2.5.0 to 2.63.0, an attacker who is able to create or edit an annotation guide on a task is able to add malicious JavaScript code, which will then run in the browser of anyone who opens this annotation...

CVE-2026-44369 CVAT: Stored XSS via annotation guides

CVAT is an open source interactive video and image annotation tool for computer vision. From 2.5.0 to 2.63.0, an attacker who is able to create or edit an annotation guide on a task is able to add malicious JavaScript code, which will then run in the browser of anyone who opens this annotation...

CVE-2026-42548

Flight (PHP micro-framework) contains a reflected XSS in Flight::jsonp() prior to version 3.18.1, where the ?jsonp= parameter is concatenated into a JavaScript response without validating the callback name. This allows an attacker to inject arbitrary JavaScript that executes in the response origi...

EUVD-2026-29893

After invoking $internalJsEmit, which is not intended to be directly accessible, or mapreduce command’s map function in a certain way, an authenticated user can subsequently crash mongod when the server-side JavaScript engine through $where, $function, mapreduce reduce stage, etc. is used also in...

CVE-2026-0256

CVE-2026-0256 describes a stored cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS software that allows a malicious authenticated administrator to store a JavaScript payload via the web interface. Affected products include PAN-OS on PA-Series and VM-Series firewalls and Panora...

CVE-2026-8496 A cross-site scripting (XSS) vulnerability in Alinto SOGo, version 5.12.7

A cross-site scripting XSS vulnerability exists in Alinto SOGo, version 5.12.7. A maliciously crafted ICS calendar invitation files allows arbitrary JavaScript execution within the authenticated SOGo webmail session. The issue occurs because SVG content embedded in the description field of an ICS...

CVE-2026-8496

A cross-site scripting XSS vulnerability exists in Alinto SOGo, version 5.12.7. A maliciously crafted ICS calendar invitation files allows arbitrary JavaScript execution within the authenticated SOGo webmail session. The issue occurs because SVG content embedded in the description field of an ICS...