CLSA-2026-1777944852 vim: Fix of 2 CVEs

CVE-2021-3984: in findstartbrace misc1.c, when a found '' lies inside a comment, restore the full cursor position line and column instead of only the line so subsequent C-indent lookups stay within the line bounds. - CVE-2022-2571: in inscomplgetexp edit.c, when CONTADDING is active, only advance...

Astra Linux - уязвимость в golang-1.19, golang-1.23

A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary...

summary-awi-poc

summary-awi-poc Public proof-of-concept repository for valida...

JLSEC-2026-284

A flaw was found in libXpm. This issue occurs when parsing a file with a comment not closed; the end-of-file condition will not be detected, leading to an infinite loop and resulting in a Denial of Service in the application linked to the library...

CVE-2026-5940

Calling a function that triggers a UI refresh after removing comments via a script may access an invalidated object, leading to program crashes...

CVE-2026-5940 Foxit PDF Editor/Reader Annotation Use-After-Free Remote Code Execution Vulnerability

Calling a function that triggers a UI refresh after removing comments via a script may access an invalidated object, leading to program crashes...

CVE-2026-5940

Summary of CVE-2026-5940 : Foxit PDF Editor/Reader contains a use-after-free vulnerability in the annotation flow. The issue arises when a function triggers a UI refresh after removing comments via a script, which may access an invalidated object and cause a crash. The CVE record cites a CVSS v3....

CVE-2026-5940 Foxit PDF Editor/Reader Annotation Use-After-Free Remote Code Execution Vulnerability

Calling a function that triggers a UI refresh after removing comments via a script may access an invalidated object, leading to program crashes...

CVE-2026-41455

WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the URL scheme field accepts any string without protocol restriction or destination validation. Attackers who can create or modify integrations can set webhook URLs to internal network...

CVE-2026-41455

CVE-2026-41455 affects WeKan

CVE-2026-41455

WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the URL scheme field accepts any string without protocol restriction or destination validation. Attackers who can create or modify integrations can set webhook URLs to internal network...

xmldom has XML node injection through unvalidated comment serialization

Summary The package allows attacker-controlled comment content to be serialized into XML without validating or neutralizing comment breaking sequences. As a result, an attacker can terminate the comment early and inject arbitrary XML nodes into the serialized output. --- Details The issue is in t...

GHSA-J759-J44W-7FR8 xmldom has XML node injection through unvalidated comment serialization

Summary The package allows attacker-controlled comment content to be serialized into XML without validating or neutralizing comment breaking sequences. As a result, an attacker can terminate the comment early and inject arbitrary XML nodes into the serialized output. --- Details The issue is in t...

fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters

fast-xml-parser XMLBuilder: Comment and CDATA Injection via Unescaped Delimiters Summary fast-xml-parser XMLBuilder does not escape the -- sequence in comment content or the sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection when user-controlled data...

GHSA-GH4J-GQV2-49F6 fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters

fast-xml-parser XMLBuilder: Comment and CDATA Injection via Unescaped Delimiters Summary fast-xml-parser XMLBuilder does not escape the -- sequence in comment content or the sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection when user-controlled data...

Cross-site Request Forgery (CSRF)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the commentDelete.json.php process. An attacker can cause unauthorized deletion of comments by tricking an authenticated user...

CVE-2026-4138

The DX Unanswered Comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7. This is due to missing nonce validation on the plugin's settings form in the dxuc-unanswered-comments-admin-page.php file. This makes it possible for...

CVE-2026-4138

The CVE-2026-4138 entry concerns the DX Unanswered Comments plugin for WordPress (versions up to 1.7). A Cross-Site Request Forgery vulnerability arises from missing nonce validation on the plugin’s settings form (dxuc-unanswered-comments-admin-page.php), enabling unauthenticated attackers to mod...

CVE-2026-4138 DX Unanswered Comments <= 1.7 - Cross-Site Request Forgery via Settings Update

The DX Unanswered Comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7. This is due to missing nonce validation on the plugin's settings form in the dxuc-unanswered-comments-admin-page.php file. This makes it possible for...

CVE-2026-4138

The DX Unanswered Comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7. This is due to missing nonce validation on the plugin's settings form in the dxuc-unanswered-comments-admin-page.php file. This makes it possible for...