CVE-2026-40897

A flaw was found in mathjs, an extensive math library for JavaScript and Node.js. This vulnerability allows a remote attacker to execute arbitrary JavaScript code by evaluating malicious expressions through the mathjs expression parser. This can lead to a complete compromise of the affected...

CVE-2026-42366

GeoVision LPC2011/LPC2211 Web Interface (ssi.cgi) contains reflected XSS vulnerabilities in version 1.10. A crafted URL can trigger arbitrary JavaScript execution in the context of the user’s browser. The CVSSv3.1 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N with a base score of 7.4 (HIGH). Expl...

EUVD-2026-26857

Multiple reflected cross-site scripting xss vulnerabilities exist in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted malicious url can lead to an arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerabili...

PT-2026-36734

Multiple reflected cross-site scripting xss vulnerabilities exist in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted malicious url can lead to an arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerabili...

Astra Linux – Vulnerability in WebKit2GTK

A validation issue has been addressed through improved input sanitization. This issue is fixed in iOS 15.3, iPadOS 15.3, watchOS 8.4, tvOS 15.3, Safari 15.3, and macOS Monterey 12.2. Processing a maliciously crafted email message may result in the execution of arbitrary JavaScript code...

PT-2026-36527

Name of the Vulnerable Software and Affected Versions GSVoIP web panel version 2.0.90 Description A Cross-Site Scripting XSS issue exists where the /painel/gateways.php/error endpoint fails to properly sanitize user-supplied input in the msg parameter. This allows a remote attacker to inject...

Wolters Kluwer LEX Baza Dokumentów 跨站脚本漏洞

Wolters Kluwer LEX Baza Dokumentów is a legal information database system developed by the German company Wolters Kluwer. The system has a cross-site scripting vulnerability, which stems from insecure handling of the cookie parameter “em”. This vulnerability may lead to cross-site scripting attac...

CVE-2026-37750

CVE-2026-37750 is a real, in-the-wild reflected XSS in the School Management System (vendor: mahmoudai1, product: School Management System, version 1.0). The vulnerability is triggered via the unsanitized type parameter in register.php, where user input is echoed back (e.g., echo ucfirst($_REQUES...

CVE-2026-40897

Math.js is an extensive math library for JavaScript and Node.js. From 13.1.1 to before 15.2.0, a vulnerability allowed executing arbitrary JavaScript via the expression parser of mathjs. You can be affected when you have an application where users can evaluate arbitrary expressions using the math...

CVE-2026-3007

CVE-2026-3007 is a stored XSS in Koollab LMS, affecting the courselet feature. Exploitation could run arbitrary JS in accounts with access to the courselet, with a CVSS 3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). The vulnerability requires user interaction and has low confidentia...

CVE-2026-3007

Successful exploitation of the stored cross-site scripting XSS vulnerability could allow an attacker to execute arbitrary JavaScript on any user account that has access to Koollab LMS’ courselet feature...

PT-2026-34630

Name of the Vulnerable Software and Affected Versions Koollab LMS affected versions not specified Description A stored cross-site scripting XSS issue exists within the courselet feature. This flaw allows an attacker to execute arbitrary JavaScript on any user account that has access to this...

Silverpeas Core has a reflected cross-site scripting vulnerability

A reflected cross-site scripting XSS vulnerability in the AdvancedSearch functionality of Silverpeas Core allows attackers to execute arbitrary JavaScript in the context of a user's browser via crafted input...

CVE-2026-41468

Beghelli Sicuro24 SicuroWeb uses AngularJS 1.5.2, an end-of-life component, which together with in-app template injection enables sandbox escape and arbitrary JavaScript execution in operator browser sessions. This can lead to session hijacking, DOM manipulation, and persistent browser compromise...

CVE-2026-41468

Beghelli Sicuro24 SicuroWeb embeds AngularJS 1.5.2, an end-of-life component containing known sandbox escape primitives. When combined with template injection present in the same application, these primitives allow attackers to escape the AngularJS sandbox and achieve arbitrary JavaScript executi...

CVE-2026-5816 Improper Resolution of Path Equivalence in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.10 before 18.10.4 and 18.11 before 18.11.1 that could have allowed an unauthenticated user to execute arbitrary JavaScript in a user's browser session due to improper path validation under certain conditions...

CVE-2026-40911

WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies to every connected client without sanitizing the msg or callback fields. On the client side, plugin/YPTSocket/script.js contains two eval...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the /index.php/Speciaal:GefacetteerdZoeken parameter. An attacker can execute arbitrary JavaScript in a victim's browser by crafting a malicious URL and tricking the user into visiting it, potentially leadin...

CVE-2026-31013

Dovestones Softwares ADPhonebook 4.0.1.1 has a reflected cross-site scripting XSS vulnerability in the search parameter of the /ADPhonebook?Department=HR endpoint. User-supplied input is reflected in the HTTP response without proper input validation or output encoding, allowing execution of...

CVE-2026-31013

Dovestones Softwares ADPhonebook 4.0.1.1 has a reflected cross-site scripting XSS vulnerability in the search parameter of the /ADPhonebook?Department=HR endpoint. User-supplied input is reflected in the HTTP response without proper input validation or output encoding, allowing execution of...