CVE-2026-41240

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions prior to 3.4.0 have an inconsistency between FORBIDTAGS and FORBIDATTR handling when function-based ADDTAGS is used. Commit c361baa added an early exit for FORBIDATTR at line 1214. The same fix was not...

CVE-2026-2339

CVE-2026-2339 affects Liderahenk before 3.4.0 with a Missing Authentication for Critical Function vulnerability that allows Remote Code Inclusion, Privilege Abuse and Command Injection. The issue is exploitable over the network (high access complexity, user interaction required) and has high impa...

CVE-2026-2339 RCE in TUBITAK BILGEM's Liderahenk

Missing Authentication for Critical Function vulnerability in TUBITAK BILGEM Software Technologies Research Institute Liderahenk allows Remote Code Inclusion, Privilege Abuse, Command Injection. This issue affects Liderahenk: before 3.5.1...

CVE-2025-34319

TOTOLINK N300RT wireless router firmware versions prior to V3.4.0-B20250430 discovered in V2.1.8-B20201030.1539 contain an OS command injection vulnerability in the Boa formWsc handling functionality. An unauthenticated attacker can send specially crafted requests to trigger command execution via...

TOTOLINK N300RT 操作系统命令注入漏洞

The TOTOLINK N300RT is an 802.11n-compliant wireless router from China's Gion Electronics TOTOLINK. An OS command injection vulnerability exists in TOTOLINK N300RT versions prior to V3.4.0-B20250430, which stems from an OS command injection in the Boa formWsc function, which could lead to the...

EUVD-2016-2053

Malware in sbrugna...

Weseek GROWI Security Vulnerability

Weseek GROWI is a team collaboration software from Weseek Japan. A security vulnerability exists in Weseek GROWI versions prior to v3.4.0. An attacker could exploit this vulnerability to conduct cross-site scripting attacks...

TRIPLEPLAY Caveman 跨站脚本漏洞

TRIPLEPLAY Caveman is a commercial software platform for IPTV technology and video streaming from TRIPLEPLAY UK. A security vulnerability exists in TRIPLEPLAY Caveman versions prior to 3.4.0, which can be exploited by an attacker to inject client-side code and run it...

PT-2023-20758 · Unknown · Triplesign +1

Name of the Vulnerable Software and Affected Versions: Tripleplay Platform versions prior to 3.4.0 Description: The issue allows attackers to inject client-side code to run as an authenticated user via a crafted link. This is a result of an XSS vulnerability in TripleSign. Recommendations: For...

SUSE CVE-2019-11358

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extendtrue, , ... because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype...

PT-2022-24704 · WordPress · Easy Form Builder

Name of the Vulnerable Software and Affected Versions: Easy Form Builder WordPress plugin versions prior to 3.4.0 Description: The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks. This is possible because some settings are not properly sanitised a...

Design/Logic Flaw

A flaw was discovered in ECE before 3.4.0 that might lead to the disclosure of sensitive information such as user passwords and Elasticsearch keystore settings values in logs such as the audit log or deployment logs in the Logging and Monitoring cluster. The affected APIs are PATCH /api/v1/user a...

PeerTube 跨站脚本漏洞

PeerTube is a decentralized video sharing service platform. Peertube has a cross-site scripting vulnerability in versions prior to v3.4.0, which stems from the application's lack of user input data validation and filtering of the data at the input location, and could be used by an attacker to...

CVE-2021-23018

Intra-cluster communication does not use TLS. The services within the NGINX Controller 3.x before 3.4.0 namespace are using cleartext protocols inside the cluster...

Nginx 控制器 安全漏洞

F5 NGINX Controller is a centralized monitoring and management platform for NGINX from F5. The platform supports the management of multiple NGINX instances using a visual interface. A security vulnerability exists in F5 NGINX Controller that stems from the fact that intra-cluster communication do...

Mattermost Desktop App Code Injection Vulnerability

Mattermost Desktop App is a messaging desktop application from Mattermost USA. A code injection vulnerability exists in Mattermost Desktop App versions prior to 3.4.0. The vulnerability stems from a network system or product not properly filtering specific elements of externally entered data duri...

CVE-2019-1010294

Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Rounding error. The impact is: Potentially leaking code and/or data from previous Trusted Application. The component is: opteeos. The fixed version is: 3.4.0 and later...

PT-2019-11550

Name of the Vulnerable Software and Affected Versions: Linaro/OP-TEE versions prior to 3.4.0 Description: The issue is related to a buffer overflow in the optee os component, which can lead to code execution in the context of the TEE core kernel. Recommendations: For versions prior to 3.4.0, upda...

AZL-44586 CVE-2019-11358 affecting package python-openstackdocstheme 3.0.0-9

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extendtrue, , ... because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype...

PT-2019-5359 · Twitter +4 · Bootstrap +4

Name of the Vulnerable Software and Affected Versions: Bootstrap versions prior to 3.4.0 Description: The issue is related to the affix plugin in Bootstrap, which does not properly protect the structure of a web page, allowing for potential exploitation. This could enable a remote attacker to...