Lucene search
K

5995 matches found

Nuclei
Nuclei
added 17 hours ago11 views

Yonyou UFIDA ERP-NC V5.0 - Cross-Site Scripting

Yonyou UFIDA ERP-NC V5.0 is vulnerable to reflected cross-site scripting XSS via the langcode parameter in /help/systop.jsp and /help/top.jsp. Unsanitized user input is reflected in the response, allowing arbitrary JavaScript execution. id: CVE-2025-2712 info: name: Yonyou UFIDA ERP-NC V5.0 -...

6.1CVSS6.1AI score0.0079EPSS
Exploits1References1
Nuclei
Nuclei
added 17 hours ago17 views

123Solar 1.8.4.5 - Cross-Site Scripting

123Solar 1.8.4.5 is vulnerable to reflected cross-site scripting XSS via the date1 parameter in detailed.php. Unsanitized user input is reflected in the response, allowing arbitrary JavaScript execution. id: CVE-2024-9007 info: name: 123Solar 1.8.4.5 - Cross-Site Scripting author: ritikchaddha...

5.4CVSS6.1AI score0.00949EPSS
Exploits1References2
Nuclei
Nuclei
added 17 hours ago13 views

Yonyou UFIDA ERP-NC V5.0 - Cross-Site Scripting

Yonyou UFIDA ERP-NC V5.0 is vulnerable to reflected cross-site scripting XSS via the flag parameter in menu.jsp. Unsanitized user input is reflected in the response, allowing arbitrary JavaScript execution. id: CVE-2025-2710 info: name: Yonyou UFIDA ERP-NC V5.0 - Cross-Site Scripting author:...

6.1CVSS6.1AI score0.00872EPSS
Exploits1References2
NVD
NVD
added 3 days ago4 views

CVE-2026-57213

RabbitMQ is a messaging and streaming broker. Prior to 3.13.14, 4.0.19, 4.1.10, and 4.2.5, the rabbitmqfederationmanagement plugin renders the consumertag field on the Federation Status page without HTML escaping, allowing a user who can configure a federation upstream or policy to execute...

5.7CVSS0.00325EPSS
Exploits1References6
EUVD
EUVD
added 3 days ago6 views

EUVD-2026-39126

SiYuan: Stored XSS in Bazaar marketplace via package README event handlers...

7.1CVSS6.1AI score0.0018EPSS
Exploits0References2
EUVD
EUVD
added 3 days ago6 views

EUVD-2026-42905

The Grav API plugin getgrav/grav-plugin-api before 1.0.3 fails to sanitize SVG files uploaded through the POST /api/v1/media endpoint. The HandlesMediaUploads::processUploadedFile method validates only the file extension and never invokes Security::sanitizeSVG, so an authenticated attacker with t...

5.1CVSS6.2AI score0.00141EPSS
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 4 days ago7 views

Malicious code in chai-defender (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 14f276305fd5e43b60bbfd1048d8792ef7f72734c28cfe533d368c0fc199a0fe On require'chai-defender', index.js invokes launchDeflectBootstrap which spawns a detached background node process running lib/caller.js. That proces...

6.5AI score
Exploits0References7
ATTACKERKB
ATTACKERKB
added 5 days ago8 views

CVE-2026-13129

When the application opens a PDF file, JavaScript uses the damaged field tree to trigger field traversal, resulting in the program holding an invalid form object when accessing the field property path. Eventually, the application crashes due to reading an invalid pointer...

7.8CVSS6AI score0.00116EPSS
Exploits0References2Affected Software2
Positive Technologies
Positive Technologies
added 5 days ago11 views

PT-2026-56355

Name of the Vulnerable Software and Affected Versions Foxit Editor/Reader affected versions not specified Description When the application opens a PDF and executes JavaScript, it performs abnormal operations on the list box field, which are repeated after the form is reset. The application fails ...

7.8CVSS6.2AI score0.00118EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 5 days ago7 views

PT-2026-56539

Name of the Vulnerable Software and Affected Versions PasswordPusher versions prior to 2.8.1 Description Insufficient validation in the valid url function allows the application to accept data URI schemes in URL push payloads. This enables attackers to create malicious pushes containing...

8.2CVSS6.1AI score0.00192EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/06 12:0 a.m.6 views

PT-2026-56013

Name of the Vulnerable Software and Affected Versions showdown affected versions not specified Description An issue exists in metadata title handling that allows the injection of arbitrary HTML and JavaScript. When the completeHTMLDocument option is enabled, unescaped less-than and greater-than...

6.1CVSS6.2AI score0.00187EPSS
Exploits0References5
Tenable Nessus
Tenable Nessus
added 2026/07/06 12:0 a.m.8 views

Siemens SIMATIC S7 PLC Web Server Improper Neutralization of Input During Web Page Generation (CVE-2026-25789)

Affected devices do not properly validate and sanitize filenames on the Firmware Update page. This could allow a remote attacker to social engineer the user into selecting a modified firmware file. This would result in malicious JavaScript execution in the context of the authenticated user's...

7.2CVSS7.3AI score0.00274EPSS
Exploits0References3
Snyk
Snyk
added 2026/07/03 10:19 p.m.6 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the extensionsRequired field of glTF files processed by the 3D file viewer. An attacker can execute arbitrary JavaScript code in the context of another user by uploading a crafted glTF file containing malicio...

8.7CVSS5.9AI score0.00336EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/03 10:19 p.m.6 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the extensionsRequired field of glTF files processed by the 3D file viewer. An attacker can execute arbitrary JavaScript code in the context of another user by uploading a crafted glTF file containing malicio...

8.7CVSS5.9AI score0.00336EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/03 10:19 p.m.5 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the extensionsRequired field of glTF files processed by the 3D file viewer. An attacker can execute arbitrary JavaScript code in the context of another user by uploading a crafted glTF file containing malicio...

8.7CVSS5.9AI score0.00336EPSS
Exploits0References2
CVE
CVE
added 2026/07/01 11:58 a.m.21 views

CVE-2026-53907

MCO is vulnerable to a Stored Cross‑Site Scripting (XSS) flaw in the application logo upload feature. A user who can change the logo can upload a crafted SVG containing JavaScript that executes when the logo renders, enabling code execution in the origin context. The vulnerability is confirmed fo...

5.4CVSS5.8AI score0.0014EPSS
Exploits0References2Affected Software1
Snyk
Snyk
added 2026/07/01 6:9 a.m.5 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper handling of user-supplied input in the map format. An attacker can execute arbitrary JavaScript code in the context of users viewing affected pages by injecting malicious payloads. Details Cross-sit...

8.3CVSS5.8AI score0.00134EPSS
Exploits0References2
SUSE CVE
SUSE CVE
added 2026/07/01 3:48 a.m.7 views

SUSE CVE-2025-1015

The Thunderbird Address Book URI fields contained unsanitized links. This could be used by an attacker to create and export an address book containing a malicious payload in a field. For example, in the “Other” field of the Instant Messaging section. If another user imported the address book,...

7.8CVSS6.9AI score0.01331EPSS
Exploits0References7
EUVD
EUVD
added 2026/07/01 12:34 a.m.8 views

EUVD-2026-40431

Crawl4AI before 0.8.7 contains an arbitrary JavaScript execution vulnerability in the Docker API server's /executejs endpoint, which accepts and executes arbitrary user-supplied JavaScript in the server's browser context with --disable-web-security enabled. An attacker can execute arbitrary...

9.2CVSS6.2AI score0.00334EPSS
Exploits0References4
PyPA
PyPA
added 2026/06/30 11:17 p.m.5 views

PYSEC-2026-798

Crawl4AI before 0.8.7 contains an arbitrary JavaScript execution vulnerability in the Docker API server's /executejs endpoint, which accepts and executes arbitrary user-supplied JavaScript in the server's browser context with --disable-web-security enabled. An attacker can execute arbitrary...

9.2CVSS6.3AI score0.00334EPSS
Exploits0References3Affected Software1
Rows per page
Query Builder