Improper Encoding or Escaping of Output

Overview Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the RSS feed rendering process. An attacker can execute arbitrary JavaScript in the context of RSS readers by injecting malicious tag names or raw HTML markdown content. This is only exploitab...

CVE-2026-41692

i18nextify is a JavaScript library that adds website internationalization via a script tag, without source code changes. Versions prior to 4.0.8 substitute key interpolation tokens inside src and href attribute values with the raw string returned by i18next.t. The substitution logic in...

CVE-2026-41929

Vvveb before 1.0.8.2 contains an unauthenticated reflected cross-site scripting vulnerability in the visual editor preview renderer that allows attackers to execute arbitrary JavaScript by manipulating the r query parameter and componentajax POST parameter. Attackers can craft a malicious link or...

EUVD-2026-28440

i18nextify is a JavaScript library that adds website internationalization via a script tag, without source code changes. Versions prior to 4.0.8 substitute key interpolation tokens inside src and href attribute values with the raw string returned by i18next.t. The substitution logic in...

CVE-2026-41692

CVE-2026-41692 affects i18nextify prior to 4.0.8. The library substitutes {{key}} tokens in src and href/src attributes with i18next.t() results, and its replaceInside handler only guards against a duplicated http:// origin, not the URL scheme. As a result, translated values like javascript:alert...

CVE-2026-41692 i18nextify is vulnerable to DOM XSS via javascript:/data: URL schemes in translated href/src attributes

i18nextify is a JavaScript library that adds website internationalization via a script tag, without source code changes. Versions prior to 4.0.8 substitute key interpolation tokens inside src and href attribute values with the raw string returned by i18next.t. The substitution logic in...

CVE-2026-41692

i18nextify is a JavaScript library that adds website internationalization via a script tag, without source code changes. Versions prior to 4.0.8 substitute key interpolation tokens inside src and href attribute values with the raw string returned by i18next.t. The substitution logic in...

CVE-2026-41692 i18nextify is vulnerable to DOM XSS via javascript:/data: URL schemes in translated href/src attributes

i18nextify is a JavaScript library that adds website internationalization via a script tag, without source code changes. Versions prior to 4.0.8 substitute key interpolation tokens inside src and href attribute values with the raw string returned by i18next.t. The substitution logic in...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the referencia field in the product creation process. An attacker can execute arbitrary JavaScript in the browser of another authenticated user by injecting a crafted value into the referencia field, which i...

EUVD-2025-209722

NPM package node-ts-ocr 1.0.15 is vulnerable to OS Command Injection via the invokeImageOcr function in src/index.js...

node-ts-ocr is vulnerable to OS Command Injection via the invokeImageOcr function in src/index.js

NPM package node-ts-ocr 1.0.15 is vulnerable to OS Command Injection via the invokeImageOcr function in src/index.js...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the rendering process in cron.erb. An attacker can execute arbitrary JavaScript in the context of the user's browser by supplying a crafted URL. Details Cross-site scripting or XSS is a code vulnerability th...

CVE-2026-41650

fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the "--" sequence in comment content or the "" sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection...

Chromium: CVE-2026-7936 Object lifecycle issue in V8

This CVE was assigned by Chrome. Microsoft Edge Chromium-based ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information...

Chromium: CVE-2026-7902 Out of bounds memory access in V8

This CVE was assigned by Chrome. Microsoft Edge Chromium-based ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information...

CVE-2026-41650

CVE-2026-41650 affects fast-xml-parser XMLBuilder prior to v5.7.0, where unescaped "-->" in comments and "]]>" in CDATA can lead to XML injection when user-controlled data is built into XML from JavaScript objects. This can enable XSS, SOAP injection, or data manipulation as described in th...

RLSA-2026:12285 Important: thunderbird security update

Mozilla Thunderbird is a standalone mail and newsgroup client. Security Fixes: firefox: thunderbird: Incorrect boundary conditions in the Libraries component in NSS CVE-2026-6772 firefox: thunderbird: Use-after-free in the JavaScript Engine component CVE-2026-6754 firefox: thunderbird: Spoofing...

thunderbird security update

An update is available for thunderbird. This update affects Rocky Linux 10. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Mozilla Thunderbird is a standalone mail and newsgroup client. Security...

USN-8242-2 postfixadmin vulnerability

USN-8242-1 fixed a vulnerability in CiviCRM. This update provides the corresponding fix for PostfixAdmin. Original advisory details: Takuya Aramaki discovered that Smarty, vendored in CiviCRM, did not properly escape JavaScript code. An attacker could possibly use this issue to conduct a cross-si...

USN-8242-1 civicrm vulnerability

Takuya Aramaki discovered that Smarty, vendored in CiviCRM, did not properly escape JavaScript code. An attacker could possibly use this issue to conduct a cross-site scripting attack...