CVE-2026-41259

Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and performs basic validation on e-mail addresses, but fails to restrict characters that are interpreted...

CVE-2026-39667

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Jongmyoung Kim Korea SNS korea-sns allows DOM-Based XSS.This issue affects Korea SNS: from n/a through = 1.7.0...

EUVD-2026-19279

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, a reflected DOM-based XSS vulnerability in taillog.js allows an unauthenticated attacker to inject arbitrary HTML into the Pi-hole admin interface...

HTTPS Fetch, DNS TXT Record Payload Download and Execution

Fetch and execute an x86 payload from an HTTPS server. Performs a TXT query against a series of DNS records and executes the returned x86 shellcode. The DNSZONE option is used as the base name to iterate over. The payload will first request the TXT contents of the a hostname, followed by b, then ...

PT-2026-29727

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Mark O’Donnell MSTW League Manager allows DOM-Based XSS.This issue affects MSTW League Manager: from n/a through 2.10...

CVE-2026-0396

A flaw was found in dnsdist. A remote attacker could exploit this vulnerability by sending specially crafted DNS queries to a dnsdist instance where domain-based dynamic rules have been enabled. This could allow the attacker to inject malicious HTML content into the internal web dashboard,...

CVE-2026-0396

CVE-2026-0396 : The vulnerability affects a DNSdist instance with domain-based dynamic rules enabled (DynBlockRulesGroup:setSuffixMatchRule or setSuffixMatchRuleFFI). An attacker can inject HTML content into the internal web dashboard by sending crafted DNS queries. The reports do not specify aff...

CVE-2025-62043

Improper neutralization of input during web page generation 'cross-site scripting' vulnerability in WPSight WPCasa allows DOM-Based XSS.This issue affects WPCasa: from n/a through 1.4.1...

CVE-2026-32361

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Marketing Fire Editorial Calendar editorial-calendar allows DOM-Based XSS.This issue affects Editorial Calendar: from n/a through = 3.9.0...

GHSA-4CM8-XPFV-JV6F ZeptoClaw: Email Sender Spoofing to bypass Header-Only From Allowlist Validation

Summary The email channel authorizes senders based on the parsed From header identity only. If upstream email authentication/enforcement is weak for example, relaxed SPF/DKIM/DMARC handling, an attacker can spoof an allowlisted sender address and have the message treated as trusted input. Details...

CVE-2025-69368

CVE-2025-69368 is a DOM-based XSS in GT3themes SOHO – Photography WordPress Theme (soho) up to version 3.0.3, caused by improper input neutralization during web page generation. Public sources (NVD/Red Hat/CVE listing) describe the vulnerability as cross-site scripting with DOM-based execution an...

CVE-2025-68538

CVE-2025-68538 affects ThemeGoods Craft craftcoffee (WordPress Theme Craft) with a DOM-Based XSS in the web page generation path due to improper input neutralization. Affected versions are

CVE-2023-49186 WordPress Machic Core plugin <= 1.2.6 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in KlbTheme Machic Core allows DOM-Based XSS.This issue affects Machic Core: from n/a through 1.2.6...

CVE-2025-68991

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in xenioushk BWL Pro Voting Manager bwl-pro-voting-manager allows DOM-Based XSS.This issue affects BWL Pro Voting Manager: from n/a through = 1.4.9...

CVE-2025-64538

Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting XSS vulnerability that could lead to arbitrary code execution. An attacker could exploit this vulnerability by injecting malicious scripts into a web page that are executed in the context of the...

CVE-2025-64583

Adobe Experience Manager 6.5.23 and earlier is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability (CWE-79) that could allow a low-privileged attacker to run malicious scripts in a victim’s browser after user interaction. The issue is gated by user interaction (e.g., visiting a craft...

CVE-2025-63046

CVE-2025-63046 : DOM-based XSS in the WordPress ListingPro plugin (

CVE-2025-61084

MDaemon Mail Server 23.5.2 validates SPF, DKIM, and DMARC using the email enclosed in angle brackets in the From: header of SMTP DATA. An attacker can craft a From: header with multiple invisible Unicode thin spaces to display a spoofed sender while passing validation, allowing email spoofing eve...

MDaemon Mail Server 安全漏洞

MDaemon Mail Server is an e-mail server software from MDaemon Inc. in the United States. A security vulnerability exists in MDaemon Mail Server version 23.5.2, which originates from a flaw in the use of email validation SPF, DKIM, and DMARC using the pointed brackets in the From header of the SMT...

PT-2025-45159

Name of the Vulnerable Software and Affected Versions SelfBest platform version 2023.3 Description A DOM-based Cross-Site Scripting XSS issue exists in the SelfBest platform. This allows attackers to execute arbitrary JavaScript within a logged-in user's session. The attack vector involves...