CVE-2026-26365: Incorrect processing of “Connection: Transfer-Encoding”

...

CVE-2025-15562

The server API endpoint /report/internet/urls reflects received data into the HTML response without applying proper encoding or filtering. This allows an attacker to execute arbitrary JavaScript in the victim's browser if the victim opens a URL prepared by the attacker...

SVXportal 安全漏洞

SVXportal is a portal website developed by Peter as an individual developer. Versions of SVXportal 2.5 and earlier had security vulnerabilities. These vulnerabilities stemmed from insufficient encoding of user input fields during the registration process, which could lead to stored-xss attacks...

leafkit 安全漏洞

Leafkit is an open-source application developed by Vapor. It uses Swift to create modular server-side software. Versions of Leafkit prior to 1.4.1 contained security vulnerabilities. These vulnerabilities stemmed from the fact that htmlEscaped only matched extended character clusters, which could...

SVXportal 安全漏洞

SVXportal is a portal website developed by Peter as an individual developer. Versions of SVXportal 2.5 and earlier had security vulnerabilities. These vulnerabilities stemmed from insufficient encoding of user input fields during the profile update process, which could lead to stored-xss attacks...

CVE-2026-27476

RustFly 2.0.0 contains a command injection vulnerability in its remote UI control mechanism that accepts hex-encoded instructions over UDP port 5005 without proper sanitization. Attackers can send crafted hex-encoded payloads containing system commands to execute arbitrary operations on the targe...

Feathers exposes internal headers via unencrypted session cookie

All HTTP request headers are stored in the session cookie, which is signed but not encrypted, exposing internal proxy/gateway headers to clients. The OAuth service stores the complete headers object in the session: javascript //...

Improper Encoding or Escaping of Output

Overview jspdf is a PDF Document creation from JavaScript Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the addJS method. An attacker can inject arbitrary PDF objects and execute malicious actions or alter the document structure by supplying...

USN-8053-1: libvpx vulnerability

It was discovered that libvpx did not properly handle certain malformed media files. If an application using libvpx opened a specially crafted file, a remote attacker could cause a denial of service, or possibly execute arbitrary code...

CVE-2025-15562

The server API endpoint /report/internet/urls reflects received data into the HTML response without applying proper encoding or filtering. This allows an attacker to execute arbitrary JavaScript in the victim's browser if the victim opens a URL prepared by the attacker...

CVE-2025-15562

The server API endpoint /report/internet/urls reflects received data into the HTML response without applying proper encoding or filtering. This allows an attacker to execute arbitrary JavaScript in the victim's browser if the victim opens a URL prepared by the attacker...

CVE-2025-15562

CVE-2025-15562 is a reflected cross-site scripting vulnerability affecting NesterSoft WorkTime. The issue occurs at the server API endpoint /report/internet/urls, which reflects user-supplied data into the HTML response without proper encoding or filtering. This can allow an attacker to execute a...

CVE-2026-2703

A weakness has been identified in xlnt-community xlnt up to 1.6.1. Impacted is the function xlnt::detail::decodebase64 of the file source/detail/cryptography/base64.cpp of the component Encrypted XLSX File Parser. Executing a manipulation can lead to off-by-one. The attack requires local access...

PT-2026-20801

The server API endpoint /report/internet/urls reflects received data into the HTML response without applying proper encoding or filtering. This allows an attacker to execute arbitrary JavaScript in the victim's browser if the victim opens a URL prepared by the attacker...

NesterSoft WorkTime 安全漏洞

NesterSoft WorkTime is a project tracking software developed by the Canadian company NesterSoft. NesterSoft WorkTime has a security vulnerability that stems from improper encoding or filtering of data at the internet/urls endpoint, which may lead to cross-site scripting attacks...

CVE-2026-1438

Reflected Cross-Site Scripting XSS vulnerability in the Graylog Web Interface console, version 2.2.3, caused by a lack of proper sanitization and escaping in HTML output. Several endpoints include segments of the URL directly in the response without applying output encoding, allowing an attacker ...

CVE-2026-1440

Reflected Cross-Site Scripting XSS vulnerability in the Graylog Web Interface console, version 2.2.3, caused by a lack of proper sanitization and escaping in HTML output. Several endpoints include segments of the URL directly in the response without applying output encoding, allowing an attacker ...

CVE-2026-1441

Reflected Cross-Site Scripting XSS vulnerability in the Graylog Web Interface console, version 2.2.3, caused by a lack of proper sanitization and escaping in HTML output. Several endpoints include segments of the URL directly in the response without applying output encoding, allowing an attacker ...

CVE-2026-1438 Reflected Cross-Site Scripting (XSS) vulnerability in Graylog Web Interface

Reflected Cross-Site Scripting XSS vulnerability in the Graylog Web Interface console, version 2.2.3, caused by a lack of proper sanitization and escaping in HTML output. Several endpoints include segments of the URL directly in the response without applying output encoding, allowing an attacker ...

PT-2026-20396

Reflected Cross-Site Scripting XSS vulnerability in the Graylog Web Interface console, version 2.2.3, caused by a lack of proper sanitization and escaping in HTML output. Several endpoints include segments of the URL directly in the response without applying output encoding, allowing an attacker ...