CVE-2026-9309

Firefox for iOS Reader View did not properly escape HTML tags in JSON-LD metadata. A malicious page could inject markup that changed Reader View behavior and leaked sensitive URL parameters. These parameters could then be used to access internal pages, potentially resulting in arbitrary JavaScrip...

CVE-2026-9308 Arbitrary JavaScript execution in Reader View due to wrong HTML replacement order

Firefox for iOS Reader View replaced page content in its HTML template before replacing other internal placeholders. A malicious page could include a placeholder string that was later substituted with JSON-LD data, potentially resulting in arbitrary JavaScript execution. This vulnerability was...

CVE-2026-9308 Arbitrary JavaScript execution in Reader View due to wrong HTML replacement order

Firefox for iOS Reader View replaced page content in its HTML template before replacing other internal placeholders. A malicious page could include a placeholder string that was later substituted with JSON-LD data, potentially resulting in arbitrary JavaScript execution. This vulnerability was...

Kiteworks 跨站脚本漏洞

Kiteworks is a security private network data software developed by Kiteworks Corporation in the United States. Versions of Kiteworks prior to 9.3.0 contained a cross-site scripting vulnerability. This vulnerability stemmed from reflective cross-site scripting, which could allow external attackers...

PT-2026-45648

Name of the Vulnerable Software and Affected Versions Kiteworks versions prior to 9.3.0 Description Kiteworks is a private data network PDN. A reflected Cross-Site Scripting XSS issue in Kiteworks Secure Data Forms allows an external attacker to trick a user into executing arbitrary JavaScript...

Mozilla Firefox for iOS 安全漏洞

Mozilla Firefox for iOS is a web browser designed for iOS devices by the Mozilla Foundation in the United States. Versions of Mozilla Firefox for iOS prior to 151.2 contained a security vulnerability. This vulnerability stemmed from Reader View replacing the page content in the HTML template befo...

Lightweight Music Server 跨站脚本漏洞

Lightweight Music Server is a self-hosted music streaming service developed by Emeric POUPON. Versions of Lightweight Music Server 3.76.0 and earlier contained a cross-site scripting vulnerability. This vulnerability stemmed from stored-xss attacks, allowing attackers to execute arbitrary...

EUVD-2026-33028

Exposed methods allow authenticated users to create and execute arbitrary JavaScript code on the server. The scripts execute with full access, enabling complete system compromise as commands are executed as root...

CVE-2026-43898

SandboxJS is a JavaScript sandboxing library. Prior to 0.9.6, sandbox-defined functions expose Function.caller, allowing sandboxed code to recover the internal LispType.Call runtime callback. That callback can then be invoked with attacker-controlled fake context and obj values to extract blocked...

EUVD-2026-32972

MeshCore Card provides MeshCore Lovelace card for Home Assistant. Prior to 0.3.3, Meshcore node names are rendered without HTML escaping in meshcore-card, allowing any node within direct or indirect repeated radio range to execute arbitrary javascript in the Home Assistant frontend of anyone...

CVE-2026-47760 TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested SVGs

TinyMCE is an open source rich text editor. From 6.8.0 to before 7.1.0, TinyMCE contains an XSS vulnerability caused by improper SVG namespace scope handling in the sanitizer. A crafted payload using nested elements can bypass attribute sanitization and execute arbitrary JavaScript. This...

PT-2026-44460

Name of the Vulnerable Software and Affected Versions MeshCore Card versions prior to 0.3.3 Description MeshCore Card provides a Lovelace card for Home Assistant. Node names are rendered without HTML escaping in the meshcore-card component, which allows any node within direct or indirect radio...

Sensorweb ScadaBR 安全漏洞

Sensorweb ScadaBR is a set of open-source software developed by Sensorweb Corporation, designed for developing automated data acquisition and monitoring applications. There is a security vulnerability in Sensorweb ScadaBR. This vulnerability stems from an exposed method that allows authenticated...

PT-2026-44538

Name of the Vulnerable Software and Affected Versions ScadaBR version 1.2.0 Description Exposed methods allow authenticated users to create and execute arbitrary JavaScript code on the server. These scripts execute with full access, enabling complete system compromise as commands are executed as...

Tiny Technologies TinyMCE 跨站脚本漏洞

TinyMCE is a rich text editor developed by Tiny Technologies in the United States. Versions of TinyMCE from 6.8.0 to 7.1.0 contained a cross-site scripting vulnerability. This vulnerability stemmed from improper handling of SVG namespace scopes by the cleaner tool; it could allow custom payloads...

EUVD-2026-31443

Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inject arbitrary JavaScript that executes in the context of any authenticated user visiting the affected account pages. This can lead to session hijacking, credential theft, malicio...

Linux Distros Unpatched Vulnerability : CVE-2026-6073

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - GitLab has remediated an issue in GitLab EE affecting all versions from 18.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allow...

PT-2026-42586

Summary A cross-site scripting XSS vulnerability exists in the application’s Markdown rendering logic. When user-supplied Markdown content is rendered, embedded raw HTML—including tags—is processed and injected into the resulting page without sanitization, allowing arbitrary JavaScript execution ...

CVE-2026-47099 TeleJSON < 6.0.0 DOM-based XSS via parse() Function

TeleJSON prior to 6.0.0 contains a DOM-based cross-site scripting vulnerability in the parse function that allows attackers to execute arbitrary JavaScript by delivering a crafted JSON payload containing a malicious constructor-name property value. The custom reviver passes the constructor name...

Astra Linux - уязвимость в firefox, thunderbird

A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution within the PDF.js context. This vulnerability affects Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11...