CVE-2025-62180

Pega Platform versions 8.3.0 through Infinity 25.1.2 are affected by an authorization weakness that may allow authenticated users to access certain additional data via crafted URLs...

CVE-2025-62180

The CVE concerns Pega Platform versions 8.3.0 through Infinity 25.1.2, affected by an authorization weakness that may let authenticated users access additional data via crafted URLs. The vulnerability is described with a high impact on confidentiality (VULNERABLE SYSTEM CONFIDENTIALITY: HIGH) and...

EUVD-2025-210309

Pega Platform versions 8.3.0 through Infinity 25.1.2 are affected by an authorization weakness that may allow authenticated users to access certain additional data via crafted URLs...

Open Redirect

Overview org.webjars.npm:nuxt is a Affected versions of this package are vulnerable to Open Redirect via improper handling of URLs in the navigateTo function. An attacker can execute arbitrary scripts or redirect users to malicious sites by supplying crafted URLs that exploit path normalization a...

EUVD-2026-36075

FrankenPHP is a modern application server for PHP. From version 1.11.2 to before version 1.12.3, the splitPos function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead...

CVE-2026-24315

SAP Fiori Launchpad allows attackers to craft malicious URLs that triggers arbitrary service calls on the Fiori domain, this when opened by the user could compromise accounts by stealing user credentials. Successful exploitation requires adversaries to possess advanced knowledge of the system...

CVE-2026-24315 Path Traversal Vulnerability in SAP Fiori (launchpad)

SAP Fiori Launchpad allows attackers to craft malicious URLs that triggers arbitrary service calls on the Fiori domain, this when opened by the user could compromise accounts by stealing user credentials. Successful exploitation requires adversaries to possess advanced knowledge of the system...

CVE-2026-27683

SAP BusinessObjects Business Intelligence application allows an authenticated attacker to inject malicious JavaScript payloads through crafted URLs. When a victim accesses the URL, the script executes in the user�s browser, potentially exposing restricted information. This results in a low impact...

CVE-2026-39862

Tophat is a mobile applications testing harness. Prior to 2.5.1, Tophat is affected by remote code execution via crafted tophat:// or http://localhost:29070 URLs. The arguments query parameter flows unsanitized from URL parsing through to /bin/bash -c execution, allowing an attacker to execute...

CVE-2026-3366

IBM InfoSphere Optim Test Data Fabrication 1.0.0, 1.0.0.1, 1.0.0.2, 1.0.2, 1.0.2.2, 1.0.2.3, 1.0.2.4, 1.0.2.5, 1.0.2.6, 1.0.2.7 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences /../ to view...

CVE-2026-44574

A flaw was found in Next.js. This vulnerability allows an attacker to bypass security checks in web applications that use Next.js middleware to protect specific web pages. By sending specially crafted web addresses, an attacker can access protected content without proper authorization. This could...

CVE-2026-48209

An improper neutralization of user-controllable input in OTRS or OTRS Community Edition ticket handling allows authenticated attackers to perform reflected cross-site scripting XSS attacks via crafted request parameters associated with ticket actions. By injecting malicious JavaScript into...

Cross-Site Scripting (XSS)

github.com/siyuan-note/siyuan is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to incomplete SVG sanitization and improper handling of user-controlled input in the /api/icon/getDynamicIcon endpoint, which allows an attacker to inject malicious SVG content and execute JavaScript...

WEBCON BPS 跨站脚本漏洞

WEBCON BPS is a low-code business process management and workflow automation platform developed by the Polish company WEBCON. Versions of WEBCON BPS prior to 2026.1.3.109 and 2025.2.1.293 contained a cross-site scripting vulnerability. This vulnerability stemmed from reflective cross-site scripti...

SAP NetWeaver Application Server ABAP 跨站脚本漏洞

SAP NetWeaver Application Server ABAP is a platform used by SAP, a German company, for the operation and development of applications written in the ABAP language. SAP NetWeaver Application Server ABAP has a cross-site scripting vulnerability. This vulnerability stems from reflective cross-site...

Cross-site Scripting (XSS)

SiYuan is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper escaping of attacker-controlled content in SVG output generated by the dynamic icon API endpoint, which allows an attacker to inject and execute malicious JavaScript through crafted URLs...

ALPINE-CVE-2026-42307

Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL e.g., using the sftp:// or file:// protocol handlers, an attacker can execute arbitrary...

Server-side Request Forgery (SSRF)

Overview PlaywrightCapture is an A simple library to capture websites using playwright Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the capture process. An attacker can access internal network resources or local files by supplying a crafted URL that...

CVE-2026-43646 Apache Wicket: crafted URLs can bypass PackageResourceGuard

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9.0.0 through 9.22.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue...

CVE-2026-43646 Apache Wicket: crafted URLs can bypass PackageResourceGuard

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9.0.0 through 9.22.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue...