CVE-2026-31868 Parse Server has Stored XSS via file upload of HTML-renderable file types

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.4 and 8.6.30, an attacker can upload a file with a file extension or content type that is not blocked by the default configuration of the Parse Server...

CVE-2026-26272

CVE-2026-26272 – HomeBox is affected by a stored XSS in the item attachment upload feature. An authenticated user can upload HTML or SVG files containing JavaScript due to improper validation of file types; attachments are served via direct links and the script runs in the app’s origin when opene...

Statamic Cross-Site Scripting Vulnerability

Statamic is a powerful flat file Cms built on Laravel by Statamic, Inc. for storing all content, templates, assets, and settings in files instead of a database. A cross-site scripting vulnerability exists in Statamic that stems from an attacker being able to craft and upload HTML files that look...

CVE-2023-27133

TSplus Remote Work 16.0.0.0 has weak permissions for .exe, .js, and .html files under the %PROGRAMFILESX86%\TSplus-RemoteWork\Clients\www folder. This may enable privilege escalation if a different local user modifies a file. NOTE: CVE-2023-31067 and CVE-2023-31068 are only about the TSplus Remot...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS such that when users upload temporary files it is possible to upload .html or .htm files containing a malicious payload. The resulting link can be sent to an administrator user. Details Cross-site scripting or X...

May 1, 2018, update for Office 2016 (KB4022133)

May 1, 2018, update for Office 2016 KB4022133 This article describes update 4022133 for Microsoft Office 2016 that was released on May 1, 2018. This update has a prerequisite.Be aware that the update on the Microsoft Download Center applies to the Microsoft Installer .msi-based edition of Office...