MeshCore Card 跨站脚本漏洞

The MeshCore Card is a Home Assistant card developed by John Pettitt, designed to display statistical data related to the MeshCore grid network. Versions of the MeshCore Card prior to 0.3.3 contained a cross-site scripting vulnerability. This vulnerability stemmed from the fact that the names of...

Kirby CMS vulnerable to cross-site scripting (XSS) from links in KirbyTags and image blocks in the site frontend

TL;DR This vulnerability affects all Kirby sites that allow the use of the link: … KirbyTag, the link: parameter of the image: … KirbyTag, the built-in image block with a link or the HTML importer for blocks, when content is authored by users who may not be fully trusted. The attack requires an...

GHSA-5FHX-9Q32-Q257 Kirby CMS vulnerable to cross-site scripting (XSS) from list field content in the site frontend

TL;DR This vulnerability affects all Kirby sites that use the list field or list block, when content is authored by users who may not be fully trusted. The attack requires an authenticated Panel user with update permission to any list field or list block. This vulnerability is of high severity fo...

CVE-2026-35035

Summary: CVE-2026-35035 affects CI4MS (CodeIgniter 4-based CMS skeleton). A stored XSS vulnerability exists in System Settings – Company Information where attacker-controlled fields (e.g., Company Name, Slogan, contact fields, Google Maps link, media fields) are input and persisted server-side, t...

CVE-2026-33334 Vikunja Desktop: Any frontend XSS escalates to Remote Code Execution due to nodeIntegration

Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables nodeIntegration in the renderer process without contextIsolation or sandbox. This means any cross-site scripting XSS vulnerability in...

CVE-2026-26023 Client‑side DOM XSS in the web chat app of Dify when using echarts

Dify is an open-source LLM app development platform. Prior to 1.13.0, a cross site scripting vulnerability has been found in the web application chat frontend when using echarts. User or llm inputs containing echarts containing a specific javascript payload will be executed. This vulnerability is...

CVE-2026-25578

Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. This issue has been patched i...

GHSA-RH3R-8PXM-HG4W Navidrome has XSS via comment from song metadata

Summary An XSS vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. An attacker's maliciously crafted song has to be added to Navidrome to exploit the vulnerability. Details The frontend is using React. In...

📄 Gibbon 14.0.01 Frame Injection

Frame injection vulnerabilities exist in Gibbon version 14.0.01. These vulnerabilities allow remote attackers to inject arbitrary HTML frames into the application. This issue is older research added to the archive. Gibbon v14.0.01 - Frame Injection Vulnerabilities Advisory ID: RO-18-012 Severity:...

CVE-2025-27232 Frontend arbitrary file read in oauth.authorize action

An authenticated Zabbix Super Admin can exploit the oauth.authorize action to read arbitrary files from the webserver leading to potential confidentiality loss...

CVE-2025-13164

EasyFlow GP developed by Digiwin has an Insufficiently Protected Credentials vulnerability, allowing privileged remote attackers to obtain plaintext credentials of AD and system mail from the system frontend...

Protection Mechanism Failure

Overview chrome-devtools-frontend is a Chrome DevTools UI Affected versions of this package are vulnerable to Protection Mechanism Failure through the openInNewTab function in the InspectorFrontendHostStub class within Chrome's DevTools component. An attacker can perform a sandbox escape by...

EUVD-2021-11445

Malware in sbrugna...

EUVD-2020-3207

Malware in sbrugna...

EUVD-2022-1353

Malicious code in bioql PyPI...

EUVD-2023-51740

Malicious code in bioql PyPI...

EUVD-2022-0181

Malicious code in bioql PyPI...

EUVD-2025-27713

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2022-31084

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - LDAP Account Manager LAM is a webfrontend for managing entries e.g. users, groups, DHCP settings stored in an LDAP directory. In versions prior to 8.0 There are...

CVE-2025-24022

iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, server code execution is possible through the frontend of iTop's portal. This is fixed in versions 2.7.12, 3.1.3 and 3.2.1...