CVE-2026-44574

A flaw was found in Next.js. This vulnerability allows an attacker to bypass security checks in web applications that use Next.js middleware to protect specific web pages. By sending specially crafted web addresses, an attacker can access protected content without proper authorization. This could...

CVE-2026-48209

An improper neutralization of user-controllable input in OTRS or OTRS Community Edition ticket handling allows authenticated attackers to perform reflected cross-site scripting XSS attacks via crafted request parameters associated with ticket actions. By injecting malicious JavaScript into...

Cross-Site Scripting (XSS)

github.com/siyuan-note/siyuan is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to incomplete SVG sanitization and improper handling of user-controlled input in the /api/icon/getDynamicIcon endpoint, which allows an attacker to inject malicious SVG content and execute JavaScript...

WEBCON BPS 跨站脚本漏洞

WEBCON BPS is a low-code business process management and workflow automation platform developed by the Polish company WEBCON. Versions of WEBCON BPS prior to 2026.1.3.109 and 2025.2.1.293 contained a cross-site scripting vulnerability. This vulnerability stemmed from reflective cross-site scripti...

SAP NetWeaver Application Server ABAP 跨站脚本漏洞

SAP NetWeaver Application Server ABAP is a platform used by SAP, a German company, for the operation and development of applications written in the ABAP language. SAP NetWeaver Application Server ABAP has a cross-site scripting vulnerability. This vulnerability stems from reflective cross-site...

Cross-site Scripting (XSS)

SiYuan is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper escaping of attacker-controlled content in SVG output generated by the dynamic icon API endpoint, which allows an attacker to inject and execute malicious JavaScript through crafted URLs...

ALPINE-CVE-2026-42307

Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL e.g., using the sftp:// or file:// protocol handlers, an attacker can execute arbitrary...

Server-side Request Forgery (SSRF)

Overview PlaywrightCapture is an A simple library to capture websites using playwright Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the capture process. An attacker can access internal network resources or local files by supplying a crafted URL that...

CVE-2026-43646 Apache Wicket: crafted URLs can bypass PackageResourceGuard

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9.0.0 through 9.22.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue...

CVE-2026-43646 Apache Wicket: crafted URLs can bypass PackageResourceGuard

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9.0.0 through 9.22.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue...

CVE-2026-41226

Open redirect vulnerability exists in Multiple laser printers and MFPs which implement Ricoh Web Image Monitor. When accessing a specially crafted URL, the user may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack...

PT-2026-39213

Name of the Vulnerable Software and Affected Versions Vim versions prior to 9.2.0383 Description An OS command injection issue exists in the netrw standard plugin. An attacker can execute arbitrary shell commands with the privileges of the Vim process by inducing a user to open a crafted URL,...

CVE-2026-31956

Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to version 4.4.1, any authenticated user can manually construct a URL to preview campaigns/regions, and export saved reports belonging to other users. Exploitation of th...

RHEL 6 : python (RHSA-2026:10102)

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2026:10102 advisory. Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic da...

CVE-2026-27683

SAP BusinessObjects Business Intelligence application allows an authenticated attacker to inject malicious JavaScript payloads through crafted URLs. When a victim accesses the URL, the script executes in the user�s browser, potentially exposing restricted information. This results in a low impact...

CVE-2026-27683

CVE-2026-27683 affects SAP BusinessObjects BI: an authenticated attacker can inject malicious JavaScript via crafted URLs, causing script execution in the victim’s browser. Impact is limited to confidentiality (LOW) with no impact on integrity or availability. The vulnerability arises from URL-ba...

CVE-2026-27683 Reflected cross site scripting vulnerability in SAP BusinessObjects Business Intelligence Platform

SAP BusinessObjects Business Intelligence application allows an authenticated attacker to inject malicious JavaScript payloads through crafted URLs. When a victim accesses the URL, the script executes in the user�s browser, potentially exposing restricted information. This results in a low impact...

EUVD-2026-22156

SAP BusinessObjects Business Intelligence application allows an authenticated attacker to inject malicious JavaScript payloads through crafted URLs. When a victim accesses the URL, the script executes in the user�s browser, potentially exposing restricted information. This results in a low impact...

CVE-2026-27683 Reflected cross site scripting vulnerability in SAP BusinessObjects Business Intelligence Platform

SAP BusinessObjects Business Intelligence application allows an authenticated attacker to inject malicious JavaScript payloads through crafted URLs. When a victim accesses the URL, the script executes in the user�s browser, potentially exposing restricted information. This results in a low impact...

PT-2026-32762

Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting XSS vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser...