Lucene search
K

647 matches found

CVE
CVE
added 2026/03/26 8:48 p.m.59 views

CVE-2026-33628

Invoice Ninja (versions 5.13.0–5.13.3) is vulnerable to stored XSS via invoice line item descriptions rendered in PDF previews and client portals because the line item description field was not passed through purify::clean() before rendering. The root cause is the missing sanitization in the rend...

5.4CVSS5.9AI score0.00231EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/03/26 8:25 p.m.3 views

CVE-2026-33738

Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the photo description field is stored without HTML sanitization and rendered using !! $item-summary !! Blade unescaped output in the RSS, Atom, and JSON feed templates. The /feed endpoint is publicly accessible without...

4.8CVSS5.9AI score0.00214EPSS
Exploits1References5Affected Software1
CVE
CVE
added 2026/03/26 8:25 p.m.7 views

CVE-2026-33738

Vulnerability summary (CVE-2026-33738) : Lychee prior to version 7.5.3 is affected. The photo description field is stored without HTML sanitization and is rendered via unescaped Blade output ({!! $item->summary !!}) in the RSS, Atom, and JSON feed templates. The publicly accessible /feed endpo...

5.4CVSS5.9AI score0.00214EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/03/26 8:25 p.m.4 views

CVE-2026-33738 Lychee Vulnerable to Stored XSS via Photo Description in RSS/Atom/JSON Feed (No Sanitization on Public Endpoint)

Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the photo description field is stored without HTML sanitization and rendered using !! $item-summary !! Blade unescaped output in the RSS, Atom, and JSON feed templates. The /feed endpoint is publicly accessible without...

4.8CVSS6AI score0.00214EPSS
Exploits1References6
NVD
NVD
added 2026/03/26 5:16 p.m.6 views

CVE-2026-33402

Sakai is a Collaboration and Learning Environment CLE. In versions 23.0 through 23.4 and 25.0 through 25.1, group titles and description can contain cross-site scripting scripts. The patch is included in releases 25.2 and 23.5. As a workaround, one can check the SAKAISITEGROUP table for titles an...

6.1CVSS0.00194EPSS
Exploits0References2
EUVD
EUVD
added 2026/03/26 4:45 p.m.6 views

EUVD-2026-16256

Sakai is a Collaboration and Learning Environment CLE. In versions 23.0 through 23.4 and 25.0 through 25.1, group titles and description can contain cross-site scripting scripts. The patch is included in releases 25.2 and 23.5. As a workaround, one can check the SAKAISITEGROUP table for titles an...

5.3CVSS5.6AI score0.00194EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/03/26 4:45 p.m.1 views

CVE-2026-33402

Sakai is a Collaboration and Learning Environment CLE. In versions 23.0 through 23.4 and 25.0 through 25.1, group titles and description can contain cross-site scripting scripts. The patch is included in releases 25.2 and 23.5. As a workaround, one can check the SAKAISITEGROUP table for titles an...

5.3CVSS5.6AI score0.00194EPSS
Exploits0References3Affected Software1
RedhatCVE
RedhatCVE
added 2026/03/26 3:10 p.m.4 views

CVE-2026-32124

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, the dynamic code picker AJAX endpoint returns code descriptions codetext that are rendered in the front end e.g. DataTables without HTML escaping. If an administrator or user...

5.4CVSS5.9AI score0.00162EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/03/26 3:7 p.m.5 views

CVE-2026-31833

Umbraco is an ASP.NET CMS. From 16.2.0 to before 16.5.1 and 17.2.2, An authenticated backoffice user with access to Settings can inject malicious HTML into property type descriptions. Due to an overly permissive attributeNameCheck configuration /.+/ in the UFM DOMPurify instance, event handler...

6.7CVSS5.8AI score0.0026EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/03/26 3:2 p.m.6 views

CVE-2026-32308

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the Markdown viewer component renders Mermaid diagrams with securityLevel: "loose" and injects the SVG output via innerHTML. This configuration explicitly allows interactive event bindings in Mermaid diagrams,...

7.6CVSS6AI score0.00224EPSS
Exploits1References1
CNNVD
CNNVD
added 2026/03/26 12:0 a.m.13 views

Sakai 跨站脚本漏洞

Sakai is an open-source technology solution provided free of charge by Apereo Sakai, featuring rich functionality for learning, teaching, research, and collaboration. Versions of Sakai prior to 23.4 and 25.1 prior to 25.1 contain a cross-site scripting vulnerability. This vulnerability stems from...

6.1CVSS5.6AI score0.00194EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/03/26 12:0 a.m.3 views

PT-2026-28519

Name of the Vulnerable Software and Affected Versions Lychee versions prior to 7.5.3 Description Lychee is a free, open-source photo-management tool. Before version 7.5.3, the photo description field was stored without HTML sanitization and rendered using !! $item-summary !! Blade unescaped outpu...

4.8CVSS6AI score0.00214EPSS
Exploits1References6
CNNVD
CNNVD
added 2026/03/26 12:0 a.m.8 views

Lychee 跨站脚本漏洞

Lychee is a beautiful and easy-to-use photo management system developed by The Lychee Organisation. It is used for managing and sharing photos. Versions of Lychee prior to 7.5.3 had a cross-site scripting vulnerability; this vulnerability occurred due to the lack of HTML cleaning when storing pho...

5.4CVSS5.6AI score0.00214EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/03/26 12:0 a.m.6 views

PT-2026-28480

Name of the Vulnerable Software and Affected Versions Sakai versions 23.0 through 23.4 Sakai versions 25.0 through 25.1 Description Sakai is a Collaboration and Learning Environment CLE. Group titles and descriptions can contain cross-site scripting scripts. The issue affects versions 23.0 throug...

5.3CVSS5.8AI score0.00194EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/03/24 8:40 p.m.8 views

Invoice Ninja Denylist Bypass may Lead to Stored XSS via Invoice Line Items

Vulnerability Details Invoice line item descriptions in Invoice Ninja v5.13.0 bypass the XSS denylist filter, allowing stored XSS payloads to execute when invoices are rendered in the PDF preview or client portal. The line item description field was not passed through purify::clean before...

5.4CVSS5.9AI score0.00231EPSS
Exploits0References5Affected Software1
Packet Storm News
Packet Storm News
added 2026/03/20 12:0 a.m.2 views

Improving Generalization on Cybersecurity Tasks with Multi-Modal Contrastive Learning

The use of ML in cybersecurity has long been impaired by generalization issues: Models that work well in controlled scenarios fail to maintain performance in production. The root cause often lies in ML algorithms learning superficial patterns shortcuts rather than underlying cybersecurity concept...

5.8AI score
Exploits0
ATTACKERKB
ATTACKERKB
added 2026/03/12 9:29 p.m.3 views

CVE-2026-32308

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the Markdown viewer component renders Mermaid diagrams with securityLevel: "loose" and injects the SVG output via innerHTML. This configuration explicitly allows interactive event bindings in Mermaid diagrams,...

7.6CVSS6AI score0.00224EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2026/03/12 9:29 p.m.207 views

CVE-2026-32308

OneUptime prior to version 10.0.23 is affected by a Stored XSS in the Markdown viewer’s Mermaid diagram rendering. The renderer uses securityLevel: "loose" and injects Mermaid SVG output via innerHTML, allowing interactive bindings and enabling XSS via Mermaid’s click directive to execute arbitra...

7.6CVSS6AI score0.00224EPSS
Exploits1References1Affected Software1
Packet Storm News
Packet Storm News
added 2026/03/12 12:0 a.m.5 views

Automatic Attack Script Generation: A MDA Approach

It is widely recognized that practical exercises are crucial for teaching cybersecurity in higher education. However, their setup is not only expensive, time-consuming, and prone to numerous errors, but also requires technical and programming skills to create attack contexts and scripts. To...

5.8AI score
Exploits0
NVD
NVD
added 2026/03/11 9:16 p.m.8 views

CVE-2026-32124

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, the dynamic code picker AJAX endpoint returns code descriptions codetext that are rendered in the front end e.g. DataTables without HTML escaping. If an administrator or user...

5.4CVSS0.00162EPSS
Exploits1References1
Rows per page
Query Builder