Lucene search
K

87 matches found

Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.16 views

PT-2026-53666

Name of the Vulnerable Software and Affected Versions Pinpoint versions prior to 3.1.1 Description Insecure session management occurs because the pinpointJwt session cookie lacks HttpOnly and Secure attributes. This allows the cookie to be accessed via JavaScript through document.cookie and...

7.6CVSS5.8AI score0.00126EPSS
Exploits0References7
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/10 6:34 p.m.15 views

Malicious code in v018-axios-cdntest (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 67d30d2c9939173663f8ba1312b2591d2f86c67657bd5eeff59b19187f50b901 Package impersonates axios v0.18.0 index.js carries the genuine axios v0.18.0 | c 2018 by Matt Zabriskie header and sets window.axios=,...

5.4AI score
Exploits0References4
OSV
OSV
added 2026/06/10 6:34 p.m.15 views

MAL-2026-5529 Malicious code in v018-axios-cdntest (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 67d30d2c9939173663f8ba1312b2591d2f86c67657bd5eeff59b19187f50b901 Package impersonates axios v0.18.0 index.js carries the genuine axios v0.18.0 | c 2018 by Matt Zabriskie header and sets window.axios=,...

5.4AI score
Exploits0References4
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/03 11:9 a.m.14 views

Malicious code in spadata (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 861acdca6a344c5a3eae65cb3655f211343f79870978f8bfc62654855efa89f3 The package exfiltrates Roblox cookies from the victim machine. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaig...

5.8AI score
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/05/26 6:0 p.m.15 views

Typebot.io has stored XSS via `javascript`: URI in text bubble links — bot author executes JS on visitors' browsers

Summary The Typebot viewer packages/embeds/js renders anchor tags from rich text bubble content without filtering the javascript: URI scheme. A bot author can set a link URL to javascript:PAYLOAD, which executes in the visitor's browser context when clicked. Since the viewer is typically embedded...

5.4CVSS5.9AI score0.00241EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/05/26 6:0 p.m.10 views

GHSA-HQMV-V56G-4M47 Typebot.io has stored XSS via `javascript`: URI in text bubble links — bot author executes JS on visitors' browsers

Summary The Typebot viewer packages/embeds/js renders anchor tags from rich text bubble content without filtering the javascript: URI scheme. A bot author can set a link URL to javascript:PAYLOAD, which executes in the visitor's browser context when clicked. Since the viewer is typically embedded...

5.4CVSS5.9AI score0.00241EPSS
Exploits0References5
OSV
OSV
added 2026/05/25 6:11 p.m.12 views

MAL-2026-4596 Malicious code in koishi-plugin-yuan (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ca3069b86d0de573768e010f6ee414d10454b7aa241d17bfa056ca2d7665e533 koishi-plugin-yuan exposes an HTTP endpoint /api/bind-cookie that accepts Bilibili user cookies including SESSDATA and bilijct and forwards them via...

5.8AI score
Exploits0References1
NVD
NVD
added 2026/05/22 6:16 p.m.11 views

CVE-2026-39964

TypeBot is a chatbot builder tool. In versions prior to 3.16.0, the Typebot viewer packages/embeds/js renders anchor tags from rich text bubble content without filtering the javascript: URI scheme. A bot author can set a link URL to javascript:PAYLOAD, which executes in the visitor's browser...

5.4CVSS0.00241EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/05/22 5:21 p.m.11 views

CVE-2026-39964

TypeBot is a chatbot builder tool. In versions prior to 3.16.0, the Typebot viewer packages/embeds/js renders anchor tags from rich text bubble content without filtering the javascript: URI scheme. A bot author can set a link URL to javascript:PAYLOAD, which executes in the visitor's browser...

5.4CVSS5.8AI score0.00241EPSS
Exploits0References4Affected Software1
EUVD
EUVD
added 2026/05/22 5:21 p.m.12 views

EUVD-2026-31480

TypeBot is a chatbot builder tool. In versions prior to 3.16.0, the Typebot viewer packages/embeds/js renders anchor tags from rich text bubble content without filtering the javascript: URI scheme. A bot author can set a link URL to javascript:PAYLOAD, which executes in the visitor's browser...

5.4CVSS5.8AI score0.00241EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/05/22 12:0 a.m.14 views

PT-2026-42817

Name of the Vulnerable Software and Affected Versions TypeBot versions prior to 3.16.0 Description The Typebot viewer renders anchor tags from rich text bubble content without filtering the javascript: URI scheme. This allows a bot author to set a link URL containing a malicious payload that...

5.4CVSS5.8AI score0.00241EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/05/13 7:54 p.m.35 views

CVE-2026-45228 Quark Drive (quark-auto-save) < 0.8.5 Stored XSS via System Configuration

Quark Drive before 0.8.5 contains a stored cross-site scripting vulnerability in the System Configuration page where the template renders pushconfig key names using Vue.js's v-html directive without escaping. Authenticated attackers can inject HTML or JavaScript payloads as key names through the...

5.4CVSS0.00183EPSS
Exploits0References3
CVE
CVE
added 2026/05/13 7:54 p.m.16 views

CVE-2026-45228

Quark Drive

5.4CVSS5.8AI score0.00183EPSS
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/12 7:42 a.m.14 views

Malicious code in 0ctf-chalweb (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6d7a129ab6079febb92ceac3587af97653477bce8a65b8e85bfa5bcae0293b0d The package's entire content xss.js is a 2-line cookie-stealing payload that creates an Image element pointing to...

5.8AI score
Exploits0References1
OSV
OSV
added 2026/05/12 7:42 a.m.7 views

MAL-2026-3667 Malicious code in 0ctf-chalweb (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6d7a129ab6079febb92ceac3587af97653477bce8a65b8e85bfa5bcae0293b0d The package's entire content xss.js is a 2-line cookie-stealing payload that creates an Image element pointing to...

5.8AI score
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/04/10 12:0 a.m.7 views

PT-2026-32980

Summary DOMSanitizer::sanitize allows elements in SVG content but never inspects their text content. CSS url references and @import rules pass through unfiltered, causing the browser to issue HTTP requests to attacker-controlled hosts when the sanitized SVG is rendered. Details In...

4.7CVSS5.9AI score0.00271EPSS
Exploits0References8
RedhatCVE
RedhatCVE
added 2026/04/09 7:23 p.m.5 views

CVE-2026-39328

ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in ChurchCRM's person profile editing functionality. Non-administrative users who have the EditSelf permission can inject malicious JavaScript into their Facebook, LinkedIn, an...

8.9CVSS5.9AI score0.00203EPSS
Exploits0References1
NVD
NVD
added 2026/04/07 6:16 p.m.9 views

CVE-2026-39328

ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in ChurchCRM's person profile editing functionality. Non-administrative users who have the EditSelf permission can inject malicious JavaScript into their Facebook, LinkedIn, an...

8.9CVSS0.00203EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/04/07 5:57 p.m.6 views

CVE-2026-39338 ChurchCRM has Blind XSS via Global Search – Administrative Cookie Session Exfiltration

ChurchCRM is an open-source church management system. Prior to 7.1.0, a Blind Reflected Cross-Site Scripting vulnerability exists in the search parameter accepted by the ChurchCRM dashboard. The application fails to sanitize or encode user-supplied input prior to rendering it within the browser's...

8.6CVSS6.3AI score0.00224EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/04/07 5:57 p.m.20 views

CVE-2026-39338 ChurchCRM has Blind XSS via Global Search – Administrative Cookie Session Exfiltration

ChurchCRM is an open-source church management system. Prior to 7.1.0, a Blind Reflected Cross-Site Scripting vulnerability exists in the search parameter accepted by the ChurchCRM dashboard. The application fails to sanitize or encode user-supplied input prior to rendering it within the browser's...

8.6CVSS0.00224EPSS
Exploits1References1
Rows per page
Query Builder