CVE-2025-1987 Stored XSS in Psono-Client via Malicious Vault Entry URLs

A Cross-Site Scripting XSS vulnerability has been identified in Psono-Client’s handling of vault entries of type websitepassword and bookmark, as used in Bitdefender SecurePass. The client does not properly sanitize the URL field in these entries. As a result, an attacker can craft a malicious...

CVE-2025-1987

CVE-2025-1987 describes a stored XSS in Psono-Client via malicious vault entries (website_password and bookmark) with un sanitised URL fields, used in Bitdefender SecurePass. A crafted javascript: URL can execute in the browser when a user interacts with the entry, potentially accessing the user’...

CVE-2025-52557

Mail-0's Zero is an open-source email solution. In version 0.8 it's possible for an attacker to craft an email that executes javascript leading to session hijacking due to improper sanitization. This issue has been patched in version 0.81...

CVE-2025-52557

Summary: CVE-2025-52557 affects Mail-0’s Zero Email Solution, specifically version 0.8, due to improper sanitization in email handling which enables an attacker to craft an email that executes JavaScript and can cause session hijacking. Root cause: stored XSS stemming from insufficient sanitizati...

CVE-2025-52557 Mail-0 Zero Session Hijacking Via Email

Mail-0's Zero is an open-source email solution. In version 0.8 it's possible for an attacker to craft an email that executes javascript leading to session hijacking due to improper sanitization. This issue has been patched in version 0.81...

PT-2025-26523 · Unknown · Psono-Client

Name of the Vulnerable Software and Affected Versions: Psono-Client affected versions not specified Description: A Cross-Site Scripting XSS issue has been identified in Psono-Client's handling of vault entries of type website password and bookmark, as used in Bitdefender SecurePass. The client do...

CVE-2025-50183

OpenList Frontend is a UI component for OpenList. Prior to version 4.0.0-rc.4, a vulnerability exists in the file preview/browsing feature of the application, where files with a .py extension that contain JavaScript code wrapped in tags may be interpreted and executed as HTML in certain modes. Th...

PT-2025-26200 · Unknown · Openlist Frontend

Name of the Vulnerable Software and Affected Versions: OpenList Frontend versions prior to 4.0.0-rc.4 Description: A stored XSS vulnerability exists in the file preview/browsing feature of the application. This occurs when files with a .py extension containing JavaScript code wrapped in tags are...

The vulnerability of the XWiki platform for creating collaborative web applications lies in its lack of protection for website structures. This allows attackers to execute arbitrary JavaScript code.

The vulnerability of the XWiki Platform lies in the lack of measures taken to protect the structure of the web page. Exploiting this vulnerability allows a malicious actor to execute arbitrary JavaScript code remotely...

CVE-2024-25573

Unsanitized user-supplied data saved in the PingFederate Administrative Console could trigger the execution of JavaScript code in subsequent user processing...

CVE-2025-40674

Reflected Cross-Site Scripting XSS in osCommerce v4. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the name of any parameter in /watch/en/about-us. This vulnerability can be exploited to steal sensitive user...

CVE-2025-40674

CVE-2025-40674 is a reflected XSS in osCommerce v4. An attacker can craft a URL with a malicious payload targeting any parameter name in /watch/en/about-us to cause JavaScript execution in a victim’s browser, potentially stealing session cookies or performing actions on behalf of the user. Docume...

Astra Linux – Vulnerability in Thunderbird

The Thunderbird Address Book’s URI fields contained unsanitized links. Attackers could use these links to create and export an address book containing malicious payloads in certain fields. For example, in the “Other” field of the Instant Messaging section. If another user imported the address boo...

Astra Linux – Vulnerability in Firefox

It was possible to interrupt the processing of a RegExp bailout and execute additional JavaScript code, potentially triggering garbage collection when the engine did not expect it. This vulnerability has been fixed in Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8...

Astra Linux – Vulnerability in Thunderbird

Thunderbird’s handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in the file:/// context. By creating a nested email attachment message/rfc822 and setting its content type to application/pdf, Thunderbird may incorrectly render it as HTML when opened,...

TencentOS Server 3: thunderbird (TSSA-2024:0241)

The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2024:0241 advisory. Package updates are available for TencentOS Server 3 that fix the following vulnerabilities...

TencentOS Server 4: rabbitmq-server (TSSA-2025:0265)

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the TSSA-2025:0265 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:...

CVE-2024-25573

Unsanitized user-supplied data saved in the PingFederate Administrative Console could trigger the execution of JavaScript code in subsequent user processing...

CVE-2024-25573 Stored Cross-Site Scripting in Administrative Console Context

Unsanitized user-supplied data saved in the PingFederate Administrative Console could trigger the execution of JavaScript code in subsequent user processing...

CVE-2024-25573 Stored Cross-Site Scripting in Administrative Console Context

Unsanitized user-supplied data saved in the PingFederate Administrative Console could trigger the execution of JavaScript code in subsequent user processing...