CVE-2026-6275

The StatCounter – Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.1.1 This is due to insufficient output escaping on the post author's nickname in the statcounteraddToTags function. The function is hooked to wphead...

CVE-2026-29964

HSC MailInspector v5.3.3-7 contains a Cross-Site Scripting XSS vulnerability in the /tap/tap.php endpoint due to improper neutralization of user-controlled input using alternate or obfuscated JavaScript syntax. The endpoint reflects unsanitized user input in HTTP responses without adequate output...

Astra Linux - уязвимость в golang-1.19

Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution...

CVE-2026-29971

A reflected cross-site scripting XSS vulnerability exists in WebFileSys version before 2.32.0 and fixed in v.2.32.0. User-controlled input is reflected into HTML and JavaScript contexts without proper output encoding, allowing arbitrary JavaScript execution in the victim's browser via the ftpBack...

Zabbix 6.0.x < 6.0.41 / 7.0.x < 7.0.19 / 7.2.x < 7.2.13 / 7.4.x < 7.4.3 Information Disclosure (ZBX-27638)

The version of Zabbix Server installed on the remote host is prior to 6.0.41, 7.0.19, 7.2.13, 7.4.3. It is, therefore, affected by an information disclosure vulnerability : - Zabbix Server/Proxy reuses JavaScript Duktape contexts for performance reasons. This can lead to confidentiality loss wher...

CVE-2026-23919

A flaw was found in Zabbix Server and Proxy. This vulnerability arises from the system's reuse of JavaScript Duktape contexts, which are execution environments for JavaScript code. A regular Zabbix administrator, even without superuser privileges, can exploit this to access and leak sensitive dat...

Improper Isolation or Compartmentalization

Overview mcp-run-python is a Model Context Protocol server to run Python code in a sandbox. Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization via the runPython or runPythonAsync functions. An attacker can gain unauthorized access to and manipulate the...

EUVD-2021-11364

Malware in sbrugna...

CVE-2021-42552

Cross-site Scripting XSS vulnerability in ArchivistaBox webclient allows an attacker to craft a malicious link, executing JavaScript in the context of a victim's browser. This issue affects all ArchivistaBox versions prior to 2022/I...

CVE-2025-24320

A stored cross-site scripting XSS vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user. This vulnerability is due to an incomplete fix for CVE-2024-31156...

CVE-2023-39319

The html/template package does not apply the proper rules for handling occurrences of " contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack...

PT-2023-9457 · Unknown +10 · Html/Template +10

Name of the Vulnerable Software and Affected Versions: html/template package affected versions not specified Description: The issue is related to the html/template package not applying proper rules for handling occurrences of " contexts. This may cause the template parser to improperly consider...

Improper Sanitization

go is vulnerable to Improper Sanitization. Whitespace characters contained outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution resulting in the vulnerability...

Reflected Cross-Site Scripting due to Improper Sanitization

Description User Input that is reflected in a JavaScript Context is not properly sanitized. The User Input is reflected inside of a single-quoted string and single-quotes are encoded. However, there is an issue with the entity removing HTML tags that prevents single-quotes from being encoded. Thi...

CVE-2022-1528

The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.5.9 does not escape the current URL before putting it back in a JavaScript context, leading to a Reflected Cross-Site Scripting...

CVE-2022-1528

The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.5.9 does not escape the current URL before putting it back in a JavaScript context, leading to a Reflected Cross-Site Scripting...

Arbitrary Code Execution

Overview metacalc is a Spreadsheet calculations for Metarhia Affected versions of this package are vulnerable to Arbitrary Code Execution when it exposes JavaScript's Math class to the v8 context. As the Math class is exposed to user-land, it can be used to get access to JavaScript's Function...

Mozilla Thunderbird 安全特征问题漏洞

Mozilla Thunderbird is the United States Mozilla Foundation's set of independent from the Mozilla Application Suite e-mail client software. The software supports the IMAP and POP mail protocols as well as the HTML mail format. A security signature issue vulnerability exists in Mozilla Thunderbird...

Discounts Manager for Products < 3.4.5 - Reflected Cross-Site Scripting

The plugin does not escape the wcdptab parameter before outputting it back in a JavaScript context, leading to a Reflected Cross-Site Scripting issue PoC v 3.4.2 - https://example.com/wp-admin/admin.php?page=wcwcdptab=alert/XSS/...

W3 Total Cache < 2.1.5 - Reflected XSS in Extensions Page (JS Context)

The plugin was affected by a reflected Cross-Site Scripting XSS issue within the "extension" parameter in the Extensions dashboard, when the 'Anonymously track usage to improve product quality' setting is enabled, as the parameter is output in a JavaScript context without proper escaping. This...