CVE-2026-11434

CVE-2026-11434 affects FluentCMS 0.0.5, specifically the Blocks Plugin via an unknown function in the /admin/blocks file. The issue allows a cross site scripting (XSS) flaw due to manipulation of that function, with remote initiation possible. Public exploits exist according to the record, and th...

FluentCMS 代码注入漏洞

FluentCMS is an open-source content management system developed by FluentCMS. Version 0.0.5 of FluentCMS has a code injection vulnerability, which stems from unknown functions in the Blocks Plugin component file located at admin/blocks. This vulnerability may lead to cross-site scripting attacks...

@d-trattner/pidex (>=0.1.1 <=0.1.3), @tanstack/react-start (>=1.167.21 <=1.167.65) +1 more potentially affected by CVE-2026-45321 via @tanstack/react-start-rsc (>=0.0.1 <=0.0.5)

@tanstack/react-start-rsc NPM version =0.0.1, =0.1.1, =1.167.21, =0.1.0, =0.6.0 Source cves: CVE-2026-45321 Source advisory: SNYK:JS-TANSTACKREACTSTARTRSC-16640211...

Malicious code in @gaia-codesearch/gaia-api-python (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bffb43bbb30e1d5c01c4c389983726a49a5489ddebcfef91353d03f7a767d01f The package @gaia-codesearch/gaia-api-python was found to contain malicious code. Source: ossf-package-analysis...

a-mailx (=0.1.0), a2 (>=0.1.0 <=0.3.17) +367 more potentially affected by CVE-2026-35397 via jupyter-server (>=0.0.5 <=2.17.0)

jupyter-server PYPI version =0.0.5, =0.1.0, =0.14.0.3, =0.3.0, =0.1.0b0, =1.3.4, =0.18.3, =0.1.0, =1.0.1, =0.1.0, =0.14.0 and more Source cves: CVE-2026-35397 Source advisory: OSV:PYSEC-2026-68...

libcrux Panics During Standalone MAC Operations

An incorrect constant for the key length in libcrux-poly1305 caused the standalone MAC function libcruxpoly1305::mac to always panic with an out-of-bounds memory access. Impact Applications wishing to use libcrux-poly1305 as a standalone MAC would experience panics. The use of libcrux-poly1305 in...

GHSA-PV9V-5J35-XWCR libcrux Panics During Standalone MAC Operations

An incorrect constant for the key length in libcrux-poly1305 caused the standalone MAC function libcruxpoly1305::mac to always panic with an out-of-bounds memory access. Impact Applications wishing to use libcrux-poly1305 as a standalone MAC would experience panics. The use of libcrux-poly1305 in...

caver (=0.0.1), distilbert-punctuator (>=0.2.0 <=0.3.0) +1 more potentially affected by CVE-2026-30242 via plane (=0.2.1)

plane PYPI version =0.2.1 is affected by a known vulnerability. The following packages have a transitive dependency on plane and may be impacted: - caver =0.0.1 - distilbert-punctuator =0.2.0, =0.0.5, =0.0.8 Source cves: CVE-2026-30242 Source advisory: OSV:GHSA-FPX8-73GF-7X73...

libcrux-aead (>=0.0.4 <=0.0.7-rc.1) potentially affected by unknown CVE via libcrux-poly1305 (>=0.0.4 <=0.0.5-rc.1)

libcrux-poly1305 CARGO version =0.0.4, =0.0.4, =0.0.7-rc.1 Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2026-0073...

RUSTSEC-2026-0073 Panic in Standalone MAC Operations

An incorrect constant for the key length in libcrux-poly1305 caused the standalone MAC function libcruxpoly1305::mac to always panic with an out-of-bounds memory access. Impact Applications wishing to use libcrux-poly1305 as a standalone MAC would experience panics. The use of libcrux-poly1305 in...

CVE-2026-2947 rymcu forest User Profile UserInfoController.java updateUserInfo cross site scripting

A vulnerability was detected in rymcu forest up to 0.0.5. This affects the function updateUserInfo of the file - src/main/java/com/rymcu/forest/web/api/user/UserInfoController.java of the component User Profile Handler. The manipulation results in cross site scripting. The attack can be executed...

CVE-2026-2947

CVE-2026-2947 affects rymcu forest up to version 0.0.5, specifically the updateUserInfo function in src/main/java/com/rymcu/forest/web/api/user/UserInfoController.java of the User Profile Handler. The issue enables cross-site scripting due to the underlying manipulation, allowing remote execution...

CVE-2026-2947 rymcu forest User Profile UserInfoController.java updateUserInfo cross site scripting

A vulnerability was detected in rymcu forest up to 0.0.5. This affects the function updateUserInfo of the file - src/main/java/com/rymcu/forest/web/api/user/UserInfoController.java of the component User Profile Handler. The manipulation results in cross site scripting. The attack can be executed...

CVE-2026-2946

A security vulnerability has been detected in rymcu forest up to 0.0.5. Affected by this issue is the function XssUtils.replaceHtmlCode of the file src/main/java/com/rymcu/forest/util/XssUtils.java of the component Article Content/Comments/Portfolio. The manipulation leads to cross site scripting...

CVE-2026-2946

CVE-2026-2946 affects rymcu forest up to version 0.0.5. The vulnerability is in the function XssUtils.replaceHtmlCode (src/main/java/com/rymcu/forest/util/XssUtils.java) of the Article Content/Comments/Portfolio component, enabling cross-site scripting. The issue enables remote exploitation and t...

forest 代码注入漏洞

Forest is a modern knowledge community backend project developed by RYMCU. It is implemented using SpringBoot, Shiro, MyBatis, JWT, and Redis. Versions of Forest 0.0.5 and earlier have a code injection vulnerability. This vulnerability stems from incorrect operations in the updateUserInfo functio...

forest 代码注入漏洞

Forest is a modern knowledge community backend project developed by RYMCU. It is implemented using SpringBoot, Shiro, MyBatis, JWT, and Redis. Versions of Forest 0.0.5 and earlier have a code injection vulnerability. This vulnerability stems from incorrect operations on the XssUtils.replaceHtmlCo...

CVE-2026-26974

Slyde is a program that creates animated presentations from XML. In versions 0.0.4 and below, Node.js automatically imports /.plugin.js,mjs files including those from nodemodules, so any malicious package with a .plugin.js file can execute arbitrary code when installed or required. All projects...

CVE-2026-26974

Slyde is a program that creates animated presentations from XML. In versions 0.0.4 and below, Node.js automatically imports /.plugin.js,mjs files including those from nodemodules, so any malicious package with a .plugin.js file can execute arbitrary code when installed or required. All projects...

CVE-2026-26974

CVE-2026-26974 (Slyde) affects Slyde versions 0.0.4 and earlier. The root cause is Node.js automatically importing any /**.plugin.{js,mjs} files, including those from node_modules, enabling a malicious package with a .plugin.js file to execute arbitrary code when installed or required. Impact is ...