CVE-2026-7299 CVE-2026-7299

Appsmith’s SQL query editor’s autocomplete functionality fails to sanitize database object names before rendering them in innerHTML, allowing an authenticated Developer to inject persistent XSS by a malicious table or column names triggering arbitrary code execution in the sessions of other...

CVE-2026-7299

Appsmith CVE-2026-7299 affects the SQL query editor autocomplete renderer, where unsanitized database object names rendered into innerHTML enable persistent XSS by a developer with access. This can execute arbitrary JavaScript in other workspace members’ sessions when interacting with the same da...

CVE-2026-7299

Appsmith’s SQL query editor’s autocomplete functionality fails to sanitize database object names before rendering them in innerHTML, allowing an authenticated Developer to inject persistent XSS by a malicious table or column names triggering arbitrary code execution in the sessions of other...

Appsmiths SQL Query autocomplete renderer contains a cross site scripting vulnerability

Overview A stored cross-site scripting XSS vulnerability has been discovered in Appsmith, specifically in the CodeMirror based SQL query editor’s autocomplete renderer. CVE-2026-7299 has been assigned to track the vulnerability. An attacker with developer level access to a shared PostgreSQL...

symfony/ux-autocomplete Information exposure via unescaped LIKE wildcards in EntitySearchUtil

More info at https://github.com/symfony/ux/security/advisories/GHSA-946h-jp5c-8fvh...

symfony/ux-autocomplete XSS via unescaped AJAX response data

More info at https://github.com/symfony/ux/security/advisories/GHSA-mwqm-4fw3-cjvr...

Duplicate Advisory: OpenClaw: Discord Slash Commands Bypass Group DM Channel Allowlist

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rvvf-6vh3-9j43. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord slash command and autocomplete...

CVE-2026-41348

OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord slash command and autocomplete paths that fail to enforce group DM channel allowlist restrictions. Authorized Discord users can bypass channel restrictions by invoking slash commands, allowing access to restricted...

📄 FacturaScripts SQL Injection

FacturaScripts versions prior to 2025.81 suffer from a remote SQL injection vulnerability in the Autocomplete Actions functionality. CVE-2026-25514: FacturaScripts has SQL Injection in Autocomplete Actions Overview | Field | Details | |---|---| | CVE ID | CVE-2026-25514 | | Severity | HIGH | |...

Exploit for SQL Injection in Facturascripts

CVE-2026-25514: FacturaScripts has SQL Injection in Autocomple...

Incorrect Authorization

Overview @openclaw/discord is an OpenClaw Discord channel plugin Affected versions of this package are vulnerable to Incorrect Authorization in the Discord slash and autocomplete command handling process. An attacker can gain unauthorized access to group DM channels by bypassing the allowlist...

Exploit for CVE-2026-7299

CVE-2026-7299 - Appsmith 1.98 Stored XSS SQL Autocomplete inn...

CVE-2026-0748 Access bypass in Drupal 7 i18n_node translation UI

In the Drupal 7 Internationalization i18n module, the i18nnode submodule allows a user with both "Translate content" and "Administer content translations" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls an...

CVE-2026-31823

Sylius is an Open Source eCommerce Framework on Symfony. An authenticated stored cross-site scripting XSS vulnerability exists in multiple places across the shop frontend and admin panel due to unsanitized entity names being rendered as raw HTML. Shop breadcrumbs shared/breadcrumbs.html.twig: The...

MAL-2026-1597 Malicious code in @emerald-react/autocomplete (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f3769d592953bbc58c010ccd6832a0c93aa4464e302e8ed7214df4bd5be7c030 The package @emerald-react/autocomplete was found to contain malicious code...

Malicious code in @emerald-react/autocomplete (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f3769d592953bbc58c010ccd6832a0c93aa4464e302e8ed7214df4bd5be7c030 The package @emerald-react/autocomplete was found to contain malicious code...

EUVD-2026-10919

Sylius Vulnerable to Authenticated Stored XSS...

EUVD-2026-10918

Sylius Vulnerable to Authenticated Stored XSS...

Sylius Vulnerable to Authenticated Stored XSS

Impact An authenticated stored cross-site scripting XSS vulnerability exists in multiple places across the shop frontend and admin panel due to unsanitized entity names being rendered as raw HTML. Shop breadcrumbs shared/breadcrumbs.html.twig: The breadcrumbs macro uses the Twig |raw filter on...

CVE-2026-31823

Sylius is an Open Source eCommerce Framework on Symfony. An authenticated stored cross-site scripting XSS vulnerability exists in multiple places across the shop frontend and admin panel due to unsanitized entity names being rendered as raw HTML. Shop breadcrumbs shared/breadcrumbs.html.twig: The...