CVE-2026-6956

ATutor is vulnerable to a Reflected XSS in the /install/install.php endpoint. An attacker can supply a crafted URL that, when opened, causes arbitrary JavaScript execution in the victim’s browser. The issue has been tested only on version 2.2.4; other versions were not tested but might also be vu...

CVE-2026-6956 Reflected XSS in ATutor

ATutor is vulnerable to Reflected XSS in /install/install.php endpoint. An attacker can provide a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. Product is no longer actively supported. Maintainers of this project were notified early...

CVE-2026-6909

ATutor is vulnerable to Reflected XSS in /install/upgrade.php endpoint. An attacker can provide a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. Product is no longer actively supported. Maintainers of this project were notified early...

CVE-2026-41951

The vulnerability CVE-2026-41951 affects GROWI up to v7.5.0, where a path traversal flaw could let an attacker cause the server to execute arbitrary EJS templates when an email server is running. The issue is documented in multiple sources (NVD/CVE entries) with CVSS v3.0/4.0 base scores of 7.2/8...

CVE-2026-41951

Path traversal vulnerability exists in GROWI v7.5.0 and earlier, which may allow an attacker to execute arbitrary EJS templates on the server when an email server is running in GROWI...

CVE-2026-41951

Path traversal vulnerability exists in GROWI v7.5.0 and earlier, which may allow an attacker to execute arbitrary EJS templates on the server when an email server is running in GROWI...

firefox: thunderbird: Invalid pointer in the JavaScript: WebAssembly component

A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: Invalid pointer in the JavaScript: WebAssembly component...

firefox: thunderbird: Use-after-free in the JavaScript Engine component

A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: Use-after-free in the JavaScript Engine component...

PT-2026-39892

Name of the Vulnerable Software and Affected Versions SandboxJS versions prior to 0.9.6 Description Sandbox-defined functions expose the Function.caller property, which allows sandboxed code to recover the internal LispType.Call runtime callback. An attacker can invoke this callback using forged...

Official Clerk JavaScript SDKs 代码问题漏洞

The Official Clerk JavaScript SDKs are an open-source repository for Clerk authentication purposes. These SDKs have code vulnerabilities that can lead to false positives during authorization checks. This occurs when functions like has and auth.protect, along with related authorization predicates,...

Link Preview JS 代码问题漏洞

Link Preview JS is an open-source tool developed by op-engineering for extracting information about web links. Versions of Link Preview JS prior to 4.0.1 contained code vulnerabilities. These vulnerabilities stemmed from the library’s failure to detect IPv6 loop attacks, and DNS attacks that coul...

CVE-2025-61306

The CVE-2025-61306 vulnerability is a reflected XSS in the dfm-menu_coveragealerts.php component of GmbH Mecury Managed Print Services (docuForm) v11.11c. The issue arises from injecting a crafted payload into an unfiltered variable value, allowing an attacker to execute arbitrary JavaScript in a...

CVE-2025-61310

A reflected cross-site scripted XSS vulnerability in the acc-menubillings.php component of GmbH Mecury Managed Print Services docuForm v11.11c allows attackers to execute arbitrary Javascript in the context of a user's browser via injecting a crafted payload into an unfiltered variable value...

DeepChat 跨站脚本漏洞

DeepChat is an intelligent assistant developed by ThinkInAIXYZ as open source. Versions of DeepChat prior to v1.0.4-beta.1 contained a cross-site scripting vulnerability. This vulnerability stemmed from the discrepancy between the backend validation layer and the front-end browser rendering engin...

PT-2026-39882

Name of the Vulnerable Software and Affected Versions MantisBT affected versions not specified Description An attacker can bypass the Content Security Policy CSP script-src directive by uploading a crafted attachment to an issue. When this attachment is accessed via the 'file download.php'...

ATutor 跨站脚本漏洞

ATutor is a set of open-source web-based Learning Content Management Systems LCMS developed by the Atutor team. This system includes modules for teaching content management, forums, chat rooms, etc. Version 2.2.4 of ATutor has a cross-site scripting vulnerability. This vulnerability stems from th...

GROWI 路径遍历漏洞

GROWI is an enterprise-level open-source knowledge base/Wiki system built using Node.js and React by GROWI Inc. GROWI versions 7.5.0 and earlier have a path traversal vulnerability. This vulnerability allows attackers to execute arbitrary EJS templates on the server...

CVE-2025-61314

A reflected cross-site scripted XSS vulnerability in the dfm-menuorderopt.php component of GmbH Mecury Managed Print Services docuForm v11.11c allows attackers to execute arbitrary Javascript in the context of a user's browser via injecting a crafted payload into an unfiltered variable value...

📄 Car Rental Script 4.0 Cross Site Scripting

Car Rental Script version 4.0 suffers from a cross site scripting vulnerability. Titles: Car-Rental-Script4.0-XSS-Reflected Cross-site scripting reflected Author: nu11secur1ty Date: 05/08/2026 Vendor: https://www.phpjabbers.com/ Software: https://www.phpjabbers.com/car-rental-script/ Reference:...

CVE-2025-61308

CVE-2025-61308 describes a reflected XSS in the dfm-menu_maintenance.php component of GmbH Mecury Managed Print Services (docuForm) v11.11c. The underlying issue is an unfiltered variable value that allows attackers to inject arbitrary JavaScript, executed in a user’s browser context. The CVSS 3....