OpenC3 COSMOS is Vulnerable to Self-XSS Through the Command Sender

Summary The Command Sender UI uses an unsafe eval function on array-like command parameters, which allows a user-supplied payload to execute in the browser when sending a command. This creates a self-XSS risk because an attacker can trigger their own script execution in the victim’s session, if...

Cross-site Scripting (XSS)

Overview baserproject/basercms is a Content management system based on CakePHP. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the tag creation process. An attacker can execute arbitrary scripts in the context of the user's browser by crafting malicious input...

EUVD-2026-13075

HCL Connections is vulnerable to a cross-site scripting attack where an attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user which leads to executing malicious script code. This may allow the attacker steal cookie-based authentication credential...

CVE-2026-22322

A stored cross‑site scripting XSS vulnerability in the Link Aggregation configuration interface allows an unauthenticated remote attacker to create a trunk entry containing malicious HTML/JavaScript code. When the affected page is viewed, the injected script executes in the context of the victim’...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the hotlinking process. An attacker can execute arbitrary JavaScript code in the context of users viewing the hotlinked SVG by uploading a crafted SVG file containing malicious scripts and creating a hotlink...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the SVG file upload process. An attacker can execute arbitrary scripts in the context of a user's browser session by uploading a specially crafted SVG file. Details Cross-site scripting or XSS is a code...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the selectedLanguageId parameter. An attacker can execute arbitrary web scripts or inject HTML by supplying crafted input to this parameter. Details Cross-site scripting or XSS is a code vulnerability that...

EUVD-2024-54592

Malicious code in bioql PyPI...

CVE-2025-41391

Stored cross-site scripting vulnerability exists in multiple versions of PowerCMS. If a product user accesses a malicious page, an arbitrary script may be executed on the browser...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Administration Console. An attacker can execute arbitrary scripts in the context of a user's browser by injecting malicious input that is later rendered without proper sanitization. Details Cross-site...

CVE-2025-22221

VMware Aria Operation for Logs contains a stored cross-site scripting vulnerability. A malicious actor with admin privileges to VMware Aria Operations for Logs may be able to inject a malicious script that could be executed in a victim's browser when performing a delete action in the Agent...

Hewlett Packard Enterprise Aruba Networking Fabric Composer 安全漏洞

Hewlett Packard Enterprise Aruba Networking Fabric Composer HPE Aruba Networking Fabric Composer is an intelligent, API driven, software-defined orchestration solution from Hewlett Packard Enterprise. A security vulnerability exists in Hewlett Packard Enterprise Aruba Networking Fabric Composer. ...

M-Files Hubshare 安全漏洞

M-Files Hubshare is a collaboration solution from M-Files, Inc. designed to seamlessly share files, documents and collaborative content. A security vulnerability exists in M-Files Hubshare versions prior to 5.0.3.8. An attacker exploited the vulnerability to run scripts in other users' browsers...

PT-2024-19704 · Open Xchange Gmbh +1 · Ox App Suite +1

Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned in the provided descriptions. Description: Maliciously crafted E-Mail attachment names could be used to temporarily execute script code in the context of the user's browser session. Common user...

osCommerce Cross-Site Scripting Vulnerability

osCommerce is an open source online shopping e-commerce solution based on the GNUGPL license. osCommerce suffers from a cross-site scripting vulnerability that stems from susceptibility to a cross-site scripting XSS vulnerability that allows an attacker to execute unauthorized scripts in a user's...

osCommerce Cross-Site Scripting Vulnerability

osCommerce is an open source online shopping e-commerce solution based on the GNUGPL license. osCommerce suffers from a cross-site scripting vulnerability that stems from susceptibility to a cross-site scripting XSS vulnerability that allows an attacker to execute unauthorized scripts in a user's...

osCommerce Cross-Site Scripting Vulnerability

osCommerce is an open source online shopping e-commerce solution based on the GNUGPL license. osCommerce suffers from a cross-site scripting vulnerability that stems from susceptibility to a cross-site scripting XSS vulnerability that allows an attacker to execute unauthorized scripts in a user's...

QNAP QTS Proxy Server 跨站脚本漏洞

Qnap Systems QNAP QTS is a data storage device with SAN-like storage architecture from China Weilian Tong Qnap Systems. The device supports tiered storage, mirror protection, and other security features. A cross-site scripting vulnerability exists in the QNAP QTS Proxy Server, which stems from...

Fortinet FortiSandbox 跨站脚本漏洞

Fortinet FortiSandbox is an APT Advanced Persistent Threat protection appliance from Fortinet, Inc. The appliance provides dual sandboxing technology, a dynamic threat intelligence system, a real-time control panel and reporting, etc. The Fortinet FortiSandbox contains a cross-site scripting...

Peerigon angular-expressions code injection vulnerability

Peerigon angular-expressions is a Javascript-based codebase that can be used to extract browser nodes from Peerigon, Germany. A code injection vulnerability exists in angular-expressions 1.1.2, which allows remote code execution and can be exploited by an attacker to run any browser script...