16925 matches found
WSO2多款产品 注入漏洞
WSO2 API Manager, among others, are products of the American company WSO2. The WSO2 API Manager is a suite of API lifecycle management solutions. The WSO2 API Control Plane is a control panel. The WSO2 Traffic Manager is a component designed to regulate and manage API traffic. Several WSO2 produc...
GHSA-MGHP-5CQ4-V6MG Snipe-IT has an open redirect vulnerability
Open redirect vulnerability in Snipe-IT allows attackers to redirect users to malicious sites via unvalidated HTTP Referer header stored in session variable. Impact - Phishing: Redirect users to fake login pages to steal credentials - Session Hijacking: Redirect to attacker site that captures...
EUVD-2026-28799
Improper Neutralization of Input During Web Page Generation XSS vulnerability in absinthe-graphql absintheplug allows reflected cross-site scripting via the GraphiQL interface. 'Elixir.Absinthe.Plug.GraphiQL':jsescape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the...
GHSA-2H64-C999-C9R6 SiYuan Affected by Stored XSS via Attribute View Name to Electron Renderer RCE
Summary The kernel stores Attribute View AV / database names without any HTML escape, then a render template uses raw strings.ReplaceAlltpl, "$avName", nodeAvName to embed the name in HTML before pushing to all clients via WebSocket. Three independent client paths render.ts:120 → outerHTML,...
CVE-2026-41683 HTTP response splitting and DoS in i18next-http-middleware via unsanitised Content-Language header
i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware wrote user-controlled language values into the Content-Language response header after passing them through utils.escape, which ...
Daptin fuzzy search injects unvalidated column name into raw SQL
Summary processFuzzySearch in server/resource/resourcefindallpaginated.go:1484 splits the user-supplied column parameter by comma and interpolates each segment directly into goqu.Lfmt.Sprintf"LOWER%s LIKE ?", prefix+col raw SQL with no column whitelist check. The entry point is GET /api/ with...
CVE-2026-8021
CVE-2026-8021 is a UI-based script injection (UXSS) in Google Chrome. Multiple connected sources (OSV/DEBIAN-CVE-2026-8021, PT-2026-38214, PTSecurity) confirm: affecting Google Chrome versions prior to 148.0.7778.96, caused by a vulnerability in the browser UI that could execute arbitrary scripts...
FluentCMS 安全漏洞
FluentCMS is a .NET-based content management system CMS that is primarily used to quickly build websites and manage web content. A cross-site scripting vulnerability exists in the FluentCMS TextHTML plugin. The vulnerability stems from insufficient validation of user input and failure to properly...
📄 cPanel Authentication Manipulation / Session Injection
This Python script attempts to an authentication bypass against a cPanel login endpoint by crafting a modified login request and manipulating session-related data. Versions after 11.40 are affected...
CVE-2026-39807
Reliance on Untrusted Inputs in a Security Decision vulnerability in mtrudel bandit allows unauthenticated transport-state spoofing on plaintext HTTP connections. 'Elixir.Bandit.Pipeline':determinescheme/2 in lib/bandit/pipeline.ex returns the client-supplied URI scheme verbatim, ignoring the...
CVE-2026-36761
A stored cross-site scripting XSS vulnerability in the /msg/msgInner/save endpoint of JeeSite v5.15.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted input into the msgContent parameter...
ai.ancf.lmos:lmos-operator (>=0.5.0 <=0.6.0), ai.telosforge:kimaira-starter-dms (>=1.2.4 <=1.2.6) +5116 more potentially affected by CVE-2026-22741 via org.springframework:spring-webmvc (>=6.2.0 <=6.2.17)
org.springframework:spring-webmvc MAVEN version =6.2.0, =0.5.0, =1.2.4, =1.2.4, =1.17.0, =0.3.0, =0.0.1, =0.1.0, =0.1.0, =0.1.0, =8.6.0, =8.6.0, =8.6.0, =8.6.0, =8.6.0, =8.8.1 and more Source cves: CVE-2026-22741 Source advisory: OSV:GHSA-WG35-8JPF-2XV3...
Default Security Bypass
Spring Boot is vulnerable to Default Security Bypass. The vulnerability is due to Spring Boot's default web security being ineffective, where an application with no Spring Security configuration and relying on the default web security filter chain can allow unauthorized access to all endpoints, a...
CVE-2026-40976
In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter...
VMware Spring Boot 安全漏洞
VMware Spring Boot is an open-source framework developed by the American company VMware. Versions of VMware Spring Boot 4.0.0 to 4.0.5 have security vulnerabilities. These vulnerabilities stem from the default web security being ineffective, which may allow unauthorized access to all endpoints...
CVE-2026-40976
In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter...
CVE-2026-40976
In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter...
Cross-site Scripting (XSS)
Overview pimcore/pimcore is a content & product management framework CMS/PIM/E-Commerce. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Document embed editable process. An attacker can execute arbitrary scripts in the context of users viewing the rendered pag...
SourceCodester Pharmacy Sales and Inventory System 注入漏洞
SourceCodester Pharmacy Sales and Inventory System is an open-source medication sales and inventory management system developed by SourceCodester. Version 1.0 of the SourceCodester Pharmacy Sales and Inventory System has a SQL injection vulnerability, which stems from the handling of parameter ID...
PT-2026-35548
Name of the Vulnerable Software and Affected Versions Spring Boot versions 4.0.0 through 4.0.5 Description Default web security in certain configurations is ineffective, allowing unauthorized and unauthenticated access to all endpoints. This occurs when a servlet-based web application relies on t...