Lucene search
+L

1187412 matches found

Cvelist
Cvelist
added 1 hour ago5 views

CVE-2026-54163 secure_headers: CSP directive injection via sandbox, plugin_types, and report_to when given untrusted input

secureheaders manages application of security headers with many safe defaults. Prior to 7.3.0, secureheaders builds the Content-Security-Policy value by stitching directives with ; separators, and buildsandboxlistdirective, buildmediatypelistdirective, and buildreporttodirective interpolate...

4.7CVSS0.00031EPSS
Exploits0References3
NVD
NVD
added 2 hours ago4 views

CVE-2026-16073

A security vulnerability has been detected in AstrBotDevs AstrBot up to 4.25.2. Affected by this issue is the function Star.texttoimage/NetworkRenderStrategy.render of the file astrbot/core/star/base.py of the component T2I Feature. The manipulation leads to cross site scripting. The attack is...

5.1CVSS
Exploits0References5
Github Security Blog
Github Security Blog
added 3 hours ago3 views

plone.restapi: Stored XSS by spoofing mime type

Impact A stored XSS affecting RichText fields. RichTextValue.output returns the raw, unsanitized stored value whenever the stored mimeType equals the outputMimeType. Because the safe-HTML output type text/x-html-safe is the type that signifies "already sanitized", any value whose stored mimeType...

5.5AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 3 hours ago3 views

plone.app.textfield: Stored XSS by spoofing mime type

Impact A stored XSS affecting RichText fields. RichTextValue.output returns the raw, unsanitized stored value whenever the stored mimeType equals the outputMimeType. Because the safe-HTML output type text/x-html-safe is the type that signifies "already sanitized", any value whose stored mimeType...

5.4AI score
Exploits0References2Affected Software1
OSV
OSV
added 3 hours ago3 views

GHSA-4R4F-GG25-RMG5 plone.app.textfield: Stored XSS by spoofing mime type

Impact A stored XSS affecting RichText fields. RichTextValue.output returns the raw, unsanitized stored value whenever the stored mimeType equals the outputMimeType. Because the safe-HTML output type text/x-html-safe is the type that signifies "already sanitized", any value whose stored mimeType...

4.3CVSS5.4AI score
Exploits0References2
Cvelist
Cvelist
added 3 hours ago8 views

CVE-2026-16073 AstrBotDevs AstrBot T2I Feature base.py NetworkRenderStrategy.render cross site scripting

A security vulnerability has been detected in AstrBotDevs AstrBot up to 4.25.2. Affected by this issue is the function Star.texttoimage/NetworkRenderStrategy.render of the file astrbot/core/star/base.py of the component T2I Feature. The manipulation leads to cross site scripting. The attack is...

5.1CVSS
Exploits0References5
CVE
CVE
added 3 hours ago3 views

CVE-2026-16073

Technical details are not publicly available in the provided documents. Monitor for updates.

5.1CVSS3.4AI score
Exploits0References5
EUVD
EUVD
added 3 hours ago4 views

EUVD-2026-45244

A security vulnerability has been detected in AstrBotDevs AstrBot up to 4.25.2. Affected by this issue is the function Star.texttoimage/NetworkRenderStrategy.render of the file astrbot/core/star/base.py of the component T2I Feature. The manipulation leads to cross site scripting. The attack is...

5.1CVSS3.6AI score
Exploits0References5
Cvelist
Cvelist
added 4 hours ago5 views

CVE-2026-48015 Shopware: Stored XSS via SVG file upload — no SVG sanitization

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, SVG files are in the allowedextensions whitelist in src/Core/Framework/Resources/config/packages/shopware.yaml and can be uploaded via the media manager without SVG content sanitization in the upload pipeline from...

4.9CVSS0.00039EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 4 hours ago3 views

CVE-2026-48015 Shopware: Stored XSS via SVG file upload — no SVG sanitization

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, SVG files are in the allowedextensions whitelist in src/Core/Framework/Resources/config/packages/shopware.yaml and can be uploaded via the media manager without SVG content sanitization in the upload pipeline from...

4.9CVSS5.5AI score0.00039EPSS
Exploits0References5
CVE
CVE
added 4 hours ago21 views

CVE-2026-48015

Shopware core is affected by CVE-2026-48015 due to SVG files being allowed in the media upload whitelist and not sanitized in the upload pipeline (MediaUploadController → FileSaver → TypeDetector). Prior to versions 6.6.10.18 and 6.7.10.1, uploading SVGs could allow embedded JavaScript (onload, [...

4.9CVSS5.4AI score0.00039EPSS
Exploits0References5
NVD
NVD
added 4 hours ago6 views

CVE-2026-9588

A stored cross-site scripting XSS vulnerability exists in Sangoma Switchvox SMB Edition 8.3 104997 within the voicemail notification template functionality. The submitmodifyvoicemailtemplate endpoint fails to properly sanitize HTML content supplied by authenticated users, allowing malicious...

7CVSS
Exploits0References2
NVD
NVD
added 4 hours ago6 views

CVE-2026-9585

An unauthenticated reflected cross-site scripting XSS vulnerability exists in Sangoma Switchvox SMB Edition version 8.3 104997. The application fails to properly sanitize the portal parameter supplied to the invalidbrowser and invalidbrowserlogin handlers. User-supplied data is reflected into...

8.6CVSS
Exploits0References2
NVD
NVD
added 4 hours ago5 views

CVE-2026-49216

Symfony UX is a JavaScript ecosystem for Symfony. From 2.2.0 until 2.36.0 and 3.1.0, the Stimulus controller in symfony/ux-autocomplete renders AJAX response items in createAutocompleteWithRemoteData by interpolating the text field into HTML template literals $itemlabelField rather than text,...

5.1CVSS
Exploits0References4
NVD
NVD
added 4 hours ago5 views

CVE-2026-21762

HCL DevOps Loop is affected by missing HTTP security headers. Missing security headers may reduce browser protections against common web-based attacks such as clickjacking, MIME-type sniffing, and cross-site scripting...

3.7CVSS
Exploits0References1
Cvelist
Cvelist
added 4 hours ago9 views

CVE-2026-21762 Missing HTTP Security Headers in DevOps Loop

HCL DevOps Loop is affected by missing HTTP security headers. Missing security headers may reduce browser protections against common web-based attacks such as clickjacking, MIME-type sniffing, and cross-site scripting...

3.7CVSS
Exploits0References1
CVE
CVE
added 4 hours ago10 views

CVE-2026-21762

Technical details are not publicly available in the provided documents. Monitor for updates.

3.7CVSS4.7AI score
Exploits0References1
EUVD
EUVD
added 4 hours ago5 views

EUVD-2026-45232

HCL DevOps Loop is affected by missing HTTP security headers. Missing security headers may reduce browser protections against common web-based attacks such as clickjacking, MIME-type sniffing, and cross-site scripting...

3.7CVSS4.7AI score
Exploits0References1
NVD
NVD
added 5 hours ago5 views

CVE-2026-60025

The Joomla extension Events Booking prior version 5.8.0 had an frontend file upload endpoint that lacked CSRF protection...

Exploits0References1
NVD
NVD
added 5 hours ago6 views

CVE-2026-58148

The Joomla extension ChronoForms is vulnerable to an unauthenticated stored XSS vulnerability...

8.7CVSS
Exploits0References1
Rows per page
Query Builder