Lucene search
K

5554 matches found

NVD
NVD
added 2026/06/03 6:16 p.m.14 views

CVE-2026-39107

A Cross Site Scripting vulnerability exists in the Kimi AI v1.0 web interface's 'Preview' feature. The application fails to properly sanitize or encode HTML/JavaScript payloads generated by the AI model. When a user switches to the 'Preview' tab to view AI-generated code, the malicious payload is...

6.3CVSS0.0027EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/03 12:0 a.m.20 views

PT-2026-46087

When using React Router v7's unstable RSC APIs, there exists a potential client-side XSS issue in the RSC redirect handling if redirects are coming from untrusted sources !NOTE This only impacts your application if you are using the unstable RSC APIs in React Router...

8CVSS5.8AI score0.00188EPSS
Exploits0References4
Snyk
Snyk
added 2026/06/02 10:22 p.m.9 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the redirect handling of unstable React Server Components RSC APIs. An attacker can execute arbitrary JavaScript code in the user's browser by supplying a crafted javascript: redirect target from an untrusted...

8CVSS5.6AI score0.00188EPSS
Exploits0References2
OSV
OSV
added 2026/06/02 6:3 p.m.12 views

RLSA-2026:22304 Important: postgresql-jdbc security update

PostgreSQL is an advanced object-relational database management system. The postgresql-jdbc package includes the .jar files needed for Java programs to access a PostgreSQL database. Security Fixes: jdbc.postgresql.org: pgjdbc: Client-side Denial of Service via malicious SCRAM-SHA-256 authenticati...

7.5CVSS7.1AI score0.0077EPSS
Exploits0References2
CVE
CVE
added 2026/06/01 2:44 p.m.21 views

CVE-2026-42683

The CVE-2026-42683 entry concerns the WordPress plugin VikBooking Hotel Booking Engine & PMS, affected through version 1.8.8. The issue is an Improper Neutralization of Input During Web Page Generation, i.e., a DOM-based Cross-Site Scripting (XSS) vulnerability. The root cause, as stated, is impr...

7.1CVSS5.8AI score0.00142EPSS
Exploits0References1
GithubExploit
GithubExploit
added 2026/05/29 9:52 p.m.84 views

NileBank-Vulnerable-App

NileBank - Web Pen Testing Project A realistic bank web appli...

5.9AI score
Exploits0
Cvelist
Cvelist
added 2026/05/29 12:34 p.m.35 views

CVE-2026-45551 Group-Office: Authenticated Stored XSS in Administrator Context via Arbitrary Cross-User Setting Write

Group-Office is an enterprise customer relationship management and groupware tool. Prior to 26.0.25, 25.0.100, and 6.8.165, GroupOffice allows authenticated users to persist arbitrary legacy settings for any userid via index.php?r=core/saveSetting. A separate client-side sink in the email module...

5.1CVSS0.0023EPSS
Exploits0References1
NVD
NVD
added 2026/05/28 9:16 a.m.14 views

CVE-2024-47097

Cross Site Scripting vulnerability in Follet School Solutions Destiny before v22.0.1 AU1 allows a remote attacker to run arbitrary client-side code via the site parameter of handleloginform.do...

5.1CVSS0.00319EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/28 8:25 a.m.10 views

CVE-2024-47097

Cross Site Scripting vulnerability in Follet School Solutions Destiny before v22.0.1 AU1 allows a remote attacker to run arbitrary client-side code via the site parameter of handleloginform.do...

5.1CVSS6AI score0.00319EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/28 8:25 a.m.10 views

EUVD-2024-55603

Cross Site Scripting vulnerability in Follet School Solutions Destiny before v22.0.1 AU1 allows a remote attacker to run arbitrary client-side code via the site parameter of handleloginform.do...

5.1CVSS6AI score0.00319EPSS
Exploits0References1
OSV
OSV
added 2026/05/26 2:17 p.m.9 views

JLSEC-2026-520

A flaw was found in gnutls. A use after free issue in client sending keyshare extension may lead to memory corruption and other consequences...

9.8CVSS6.7AI score0.03751EPSS
Exploits1References24
RedHat Linux
RedHat Linux
added 2026/05/26 3:24 a.m.29 views

tornado: Tornado: Cookie attribute injection due to improper handling of cookie arguments

A flaw was found in Tornado. A remote attacker could exploit this vulnerability by injecting specially crafted characters into the domain, path, and samesite arguments when setting cookies. This could lead to cookie attribute injection, potentially allowing for information disclosure or...

7.2CVSS5.7AI score0.00237EPSS
Exploits0References6
GithubExploit
GithubExploit
added 2026/05/25 4:43 p.m.111 views

Exploit for CVE-2026-33712

CVE-2026-33712 - Typebot Unauthenticated SSRF Description...

10CVSS5.8AI score0.00347EPSS
Exploits1
EUVD
EUVD
added 2026/05/22 6:26 p.m.11 views

EUVD-2026-31481

TypeBot is a chatbot builder tool. In versions 3.15.2 and prior, the fix for GHSA-4xc5-wfwc-jw47 "Credential Theft via Client-Side Script Execution and API Authorization Bypass" is incomplete. While the builder's getCredentials tRPC endpoint was patched with workspace membership checks, the...

7.1CVSS5.8AI score0.00271EPSS
Exploits0References3
OSV
OSV
added 2026/05/22 3:14 p.m.7 views

CLSA-2026-1779462894 rsync: Fix of CVE-2026-43620

CVE-2026-43620: prevent client-side out-of-bounds read in receiver when a malicious server sends a crafted file-list with parentndx0...

6.9CVSS5.8AI score0.00503EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/22 12:0 a.m.18 views

PT-2026-42821

Name of the Vulnerable Software and Affected Versions TypeBot versions prior to 3.15.3 Description An incomplete fix in the bot-engine runtime allows authenticated users to use credentials from any workspace via the preview chat endpoint. The getCredentials utility function employs a falsy check...

7.1CVSS5.8AI score0.00271EPSS
Exploits0References5
OSV
OSV
added 2026/05/21 5:57 p.m.13 views

GHSA-32Q2-HHR5-6QVV md-fileserver: Stored/Reflected XSS when viewing Markdown (raw HTML allowed)

Summary A cross-site scripting XSS vulnerability exists in the application’s Markdown rendering logic. When user-supplied Markdown content is rendered, embedded raw HTML—including tags—is processed and injected into the resulting page without sanitization, allowing arbitrary JavaScript execution ...

7.2CVSS6AI score0.00213EPSS
Exploits0References4
NVD
NVD
added 2026/05/20 8:16 p.m.21 views

CVE-2026-9139

Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains a hard-coded credential vulnerability in the embedded web configuration interface where authentication is implemented entirely in client-side JavaScript in login.zhtml, exposing static plaintext credentials in the page source...

9.8CVSS0.00454EPSS
Exploits0References2
NVD
NVD
added 2026/05/20 8:16 p.m.12 views

CVE-2026-2813

ArcGIS Server contains an input validation weakness in the login redirection workflow. An Authenticated attacker could exploit this issue by sending a specially crafted request, Successful exploitation may result in the application redirecting the browser to an unintended, untrusted site, resulti...

4.7CVSS0.003EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/20 7:35 p.m.10 views

EUVD-2026-31179

Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains a hard-coded credential vulnerability in the embedded web configuration interface where authentication is implemented entirely in client-side JavaScript in login.zhtml, exposing static plaintext credentials in the page source...

9.8CVSS5.8AI score0.00454EPSS
Exploits0References2
Rows per page
Query Builder