Advisory ROSA-SA-2026-3284

Software: tigervnc 1.13.1 OS: ROSA-CHROME unaffected versions = tigervnc-1.13.1-2 affected versions tigervnc-1.13.1-2 CVE-ID: CVE-2026-34352 BDU-ID: None CVE-Crit: HIGH CVE-DESC.: An invalid permissions vulnerability in the Image.cxx component of x0vncserver in TigerVNC allows other users to view...

CVE-2025-14576

Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of...

CVE-2025-14576

CVE-2025-14576 affects Qt’s SVG module (VectorImage in Qt Quick). The root cause is insufficient validation of node IDs, enabling arbitrary QML/JavaScript code injection when loading malicious SVG files. The NVD entry notes local attack vector with no privileges required and passive user interact...

CVE-2025-14576 Possible QML code injection in VectorImage component

Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of...

PT-2026-36093

Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of...

CVE-2022-50905 e107 CMS v3.2.1 - Reflected XSS via Comment Flow

e107 CMS version 3.2.1 contains multiple vulnerabilities that allow cross-site scripting XSS attacks. The first vulnerability is a reflected XSS that occurs in the news comment functionality when authenticated users interact with the comment form. An attacker can inject malicious JavaScript code...

CVE-2022-50905 e107 CMS v3.2.1 - Reflected XSS via Comment Flow

e107 CMS version 3.2.1 contains multiple vulnerabilities that allow cross-site scripting XSS attacks. The first vulnerability is a reflected XSS that occurs in the news comment functionality when authenticated users interact with the comment form. An attacker can inject malicious JavaScript code...

CVE-2022-50905

CVE-2022-50905 affects e107 CMS v3.2.1. The issues: (1) a reflected XSS in the news comment flow, where an authenticated user can inject JavaScript via a URL parameter that executes when they click outside the comment field; (2) an upload restriction bypass for authenticated administrators that e...

e107 跨站脚本漏洞

e107 is an open source, free and PHP and MySQL based Content Management System CMS from the E107 team. The system supports a variety of plug-ins and appearance of the theme , can be used as a personal blog , discussion community , archive repository and so on. A cross-site scripting vulnerability...

PT-2025-49682

Name of the Vulnerable Software and Affected Versions NiceGUI versions 3.3.1 and below Description NiceGUI, a Python-based UI framework, has an issue where the ui.interactive image component can be exploited for cross-site scripting XSS. The component renders Scalable Vector Graphics SVG content...

CVE-2025-61488

An issue in Senayan Library Management System SLiMS 9 Bulian v.9.6.1 allows a remote attacker to execute arbitrary code via the scrapimage.php component and the imageURL parameter...

DCMTK 缓冲区错误漏洞

DCMTK is a collection of libraries and applications that implement most of the DICOM standards from the DCMTK open source. Software for examining, building, and converting DICOM image files, processing offline media, sending and receiving images over network connections, and demonstrating image...

CVE-2022-46493

Default version of nbnbk was discovered to contain an arbitrary file upload vulnerability via the component /api/User/downloadimg...

CVE-2021-45340

In Libsixel prior to and including v1.10.3, a NULL pointer dereference in the stbimage.h component of libsixel allows attackers to cause a denial of service DOS via a crafted PICT file...

Strapi Security Vulnerabilities

Strapi is an open source content management system CMS. A security vulnerability exists in Strapi version 4.24.4, which stems from the component /strapi.io/next/image containing server-side request forgery SSRF, which could allow an attacker to scan for open ports or access sensitive information...

CVE-2023-42426

Cross-site scripting XSS vulnerability in Froala Froala Editor v.4.1.1 allows remote attackers to execute arbitrary code via the 'Insert link' parameter in the 'Insert Image' component...

PT-2023-28334 · Froala · Froala Editor

Name of the Vulnerable Software and Affected Versions: Froala Editor version 4.1.1 Description: A cross-site scripting XSS issue allows remote attackers to execute arbitrary code via the Insert link parameter in the Insert Image component. This enables attackers to inject malicious code,...

Sanitization Management System 安全漏洞

Sanitization Management System is a sanitization management system by Carlo Montero Personal Developer. A security vulnerability exists in Sanitization Management System v1.0, which stems from its /classes/Master.php?f=deleteimg component that allows an attacker to implement arbitrary file deleti...

CVE-2022-27435

An unrestricted file upload at /public/admin/index.php?addproduct of Ecommerce-Website v1.1.0 allows attackers to upload a webshell via the Product Image component...

CVE-2022-27435

An unrestricted file upload at /public/admin/index.php?addproduct of Ecommerce-Website v1.1.0 allows attackers to upload a webshell via the Product Image component...