PT-2026-39445

Name of the Vulnerable Software and Affected Versions PHP versions 8.2.0 through 8.2.30 PHP versions 8.3.0 through 8.3.30 PHP versions 8.4.0 through 8.4.20 PHP versions 8.5.0 through 8.5.5 Description Improper sanitation of user data allows an attacker to compose a URL that executes arbitrary...

CVE-2025-57881

A reflected cross-site scripting xss vulnerability exists in the modifyEmail functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability...

CVE-2025-55071

A reflected cross-site scripting xss vulnerability exists in the modifyAnonymize functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability...

CVE-2025-54852

A reflected cross-site scripting xss vulnerability exists in the modifyAeTitle functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability...

CVE-2025-54814

MedDream PACS Premium 7.3.6.870 contains a post-auth reflected XSS in Pacs/modifyAutopurgeFilter.php via the key URL parameter. A crafted URL can cause arbitrary JavaScript execution in the affected web output. Talos reports the vulnerability as TALOS-2025-2261 (CVE-2025-54814) with CVSSv3.1 6.1 ...

EUVD-2021-26662

Malware in sbrugna...

EUVD-2024-46636

Malicious code in bioql PyPI...

CVE-2025-47094

Adobe Experience Manager versions 6.5.22 and earlier are affected by a reflected Cross-Site Scripting XSS vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browse...

CVE-2023-32759

An issue in Archer Platform before v.6.13 and fixed in 6.12.0.6 and 6.13.0 allows an authenticated attacker to obtain sensitive information via a crafted URL...

CVE-2013-0944

The web-based file-restore interface in EMC Avamar Server before 6.1.0 allows remote authenticated users to read arbitrary files via a crafted URL...

CVE-2024-11638

CVE-2024-11638 affects the WordPress plugin Gtbabel (versions before 6.6.9). Root cause: it does not verify that the URL to analyze is within the blog, enabling unauthenticated attackers to trigger requests that can capture a logged-in user’s cookies (e.g., admin). Impact: potential admin cookie ...

parse-uri Regular expression Denial of Service (ReDoS)

An issue in parse-uri v1.0.9 allows attackers to cause a Regular expression Denial of Service ReDoS via a crafted URL. PoC js async function exploit const parseuri = require"parse-uri"; // This input is designed to cause excessive backtracking in the regex const craftedInput = 'http://example.com...

GHSA-6FX8-H7JM-663J parse-uri Regular expression Denial of Service (ReDoS)

An issue in parse-uri v1.0.9 allows attackers to cause a Regular expression Denial of Service ReDoS via a crafted URL. PoC js async function exploit const parseuri = require"parse-uri"; // This input is designed to cause excessive backtracking in the regex const craftedInput = 'http://example.com...

CVE-2024-45625

Cross-site scripting vulnerability exists in Forminator versions prior to 1.34.1. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who follows a crafted URL and accesses the webpage with the web form created by Forminator...

Bosch Nexo cordless nutrunner security breach

Bosch Nexo Cordless nutrunner is a series of cordless tightening wrenches with integrated controls from Bosch Germany. A security vulnerability exists in Bosch Nexo cordless nutrunner. The vulnerability allows remote attackers to inject and execute arbitrary client-side scripting code within a...

SUSE CVE-2017-17523

lilypond-invoke-editor in LilyPond 2.19.80 does not validate strings before launching the program specified by the BROWSER environment variable, which allows remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by a --proxy-pac-file argument...

GHSA-FJ26-Q4VH-85F6 MoinMoin Cross-site Scripting (XSS) vulnerability

MoinMoin 1.9.8 allows remote attackers to conduct "JavaScript injection" attacks by using the "page creation or crafted URL" approach, related to a "Cross Site Scripting XSS" issue affecting the action=fckdialog&dialog=attachment via page name component...

CVE-2022-22182

A Cross-site Scripting XSS vulnerability in Juniper Networks Junos OS J-Web allows an attacker to construct a URL that when visited by another user enables the attacker to execute commands with the target's permissions, including an administrator. This issue affects: Juniper Networks Junos OS 12....

Multiple IBM Product Clickjacking Vulnerabilities

IBM InfoSphere DataStage and InfoSphere Information Server on Cloud are both products of IBM USA. The former is a set of graphical interface to provide data integration solutions ETL data extraction, transformation and loading tools, the latter is a set of cloud-based data integration platform. A...

Messagerie 1.0 - Arbitrary User Removal Denial of Service

source: https://www.securityfocus.com/bid/4635/info Messagerie is a web message board application maintained by La Basse. An issue has been discovered in Messagerie, which could allow an attacker to delete arbitrary user accounts. Reportedly, submitting a specially crafted URL will successfully...