CVE-2026-1090

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user, when the markdownplaceholders feature flag was enabled, to inject JavaScript in a browser due to improper...

PT-2026-28550

Name of the Vulnerable Software and Affected Versions Statamic versions prior to 5.73.16 Statamic versions prior to 6.7.2 Description The user:reset password form tag does not properly escape user-supplied input before rendering it as HTML, potentially allowing an attacker to inject and execute...

PT-2026-28508

Name of the Vulnerable Software and Affected Versions Kestra versions up to and including 1.3.3 Description Kestra is an open-source, event-driven orchestration platform. Versions up to and including 1.3.3 render user-supplied flow YAML metadata fields – description, inputs.displayName,...

PT-2026-28195

The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the attachment post title in all versions up to, and including, 6.4.3. This is due to insufficient output escaping in the getEditorPopup function and its corresponding media-popup.php template...

Authelia 跨站脚本漏洞

Authelia is a single-signpoint login multi-factor portal developed by Authelia OpenSource. Version 4.39.15 of Authelia contains a cross-site scripting vulnerability. This vulnerability arises from the lack of neutralization of the language cookie value during the rendering of HTML templates, whic...

CVE-2026-30587

A flaw was found in Seafile Server and its Seadoc editor. This Stored Cross-Site Scripting XSS vulnerability allows authenticated remote attackers to inject malicious JavaScript code. The application fails to properly sanitize WebSocket messages during document structure updates. By exploiting...

EUVD-2026-14494

AVideo vulnerable to Stored XSS via htmlentitydecode Reversing xssesc Sanitization in Channel About Field...

AVideo vulnerable to Stored XSS via html_entity_decode() Reversing xss_esc() Sanitization in Channel About Field

Summary A sanitization order-of-operations flaw in the user profile "about" field allows any registered user to inject arbitrary JavaScript that executes when other users visit their channel page. The xssesc function entity-encodes input before stripspecifictags can match dangerous HTML tags, and...

CVE-2026-30587

Multiple Stored XSS vulnerabilities exist in Seafile Server version 13.0.15,13.0.16-pro,12.0.14 and prior and fixed in 13.0.17, 13.0.17-pro, and 12.0.20-pro, via the Seadoc sdoc editor. The application fails to properly sanitize WebSocket messages regarding document structure updates. This allows...

Seafile Server 安全漏洞

Seafile Server is an open-source cloud storage server software developed by Seafile, offering features for file synchronization, sharing, and collaboration management. Versions of Seafile Server such as 13.0.15, 13.0.16-pro, 12.0.14, and earlier have security vulnerabilities. These vulnerabilitie...

GHSA-GMFG-3V4Q-9QR4 Authelia: Improper Neutralization of Input During Web Page Generation Leads to Potential Cross-site Scripting

Impact Official Weighted Severity Rating: Low This exploit is very unlikely to be the case for most users as it requires configuration of the Content Security Policy template value. Below represents a safe value, any other value other than unconfigured should be very carefully evaluated regardles...

CVE-2026-29091

A flaw was found in Locutus, a project that brings standard libraries of other programming languages to JavaScript. A remote attacker could exploit an insecure implementation of the calluserfuncarray function, which fails to properly validate all components of a callback array before passing them...

CVE-2026-33548

Mantis Bug Tracker MantisBT is an open source issue tracker. In version 2.28.0, improper escaping of tag names retrieved from History in Timeline myviewpage.php allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript, when displaying a tag that has...

CVE-2026-33683

WWBN AVideo is an open source video platform. In versions up to and including 26.0, a sanitization order-of-operations flaw in the user profile "about" field allows any registered user to inject arbitrary JavaScript that executes when other users visit their channel page. The xssesc function...

CVE-2026-32852 MailEnable < 10.55 Reflected XSS via FreeBusy.aspx StartDate Parameter

MailEnable versions prior to 10.55 contain a reflected cross-site scripting vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL. Attackers can inject malicious code through the StartDate parameter in...

CVE-2026-33683

WWBN AVideo is an open source video platform. In versions up to and including 26.0, a sanitization order-of-operations flaw in the user profile "about" field allows any registered user to inject arbitrary JavaScript that executes when other users visit their channel page. The xssesc function...

CVE-2026-33295

CVE-2026-33295 affects WWBN/AVideo prior to version 26.0, where a stored XSS exists in the CDN plugin’s downloadButtons.php. The vulnerability arises because the video record field clean_title is interpolated directly into a JavaScript string literal without escaping, enabling an attacker who can...

EUVD-2026-13994

The fyyd podcast shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fyyd-podcast', 'fyyd-episode', and 'fyyd' shortcodes in all versions up to, and including, 0.3.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode...

CVE-2026-4084

The fyyd podcast shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fyyd-podcast', 'fyyd-episode', and 'fyyd' shortcodes in all versions up to, and including, 0.3.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode...

EUVD-2026-13929

The Scoreboard for HTML5 Games Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'scoreboard' shortcode in all versions up to, and including, 1.2. The shortcode function sfhgshortcode allows arbitrary HTML attributes to be added to the rendered element, with only a...