CVE-2026-43878 WWBN AVideo: Reflected XSS in plugin/Meet/iframe.php via Unescaped `user`/`pass` Parameters Reflected into JavaScript String Literal

WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/Meet/iframe.php echoes the attacker-controlled user and pass query parameters unescaped into a JavaScript double-quoted string literal inside a block. An attacker who sends a victim to a crafted URL can bre...

Video: Reflected XSS in plugin/Meet/iframe.php via Unescaped user and pass Parameters in JavaScript String Literal

Summary plugin/Meet/iframe.php echoes the attacker-controlled user and pass query parameters unescaped into a JavaScript double-quoted string literal inside a block. An attacker who sends a victim to a crafted URL can break out of the string and execute arbitrary JavaScript in the victim's browse...

GHSA-MM5F-8Q57-4FC4 Video: Reflected XSS in plugin/Meet/iframe.php via Unescaped user and pass Parameters in JavaScript String Literal

Summary plugin/Meet/iframe.php echoes the attacker-controlled user and pass query parameters unescaped into a JavaScript double-quoted string literal inside a block. An attacker who sends a victim to a crafted URL can break out of the string and execute arbitrary JavaScript in the victim's browse...

CVE-2026-4005

The Coachific Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'userhash' shortcode attribute in all versions up to and including 1.0. This is due to insufficient input sanitization and output escaping. The plugin uses sanitizetextfield on the 'userhash'...

CVE-2026-21717

A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the...

PT-2026-26474

Summary WWBN/AVideo contains an open redirect vulnerability in the login flow where a user-supplied redirectUri parameter is reflected directly into a JavaScript document.location assignment without JavaScript-safe encoding. After a user completes the login popup flow, a timer callback executes t...

EUVD-2026-9109

wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows script injection via forum URL data output into an inline script block using jsonencode without the JSONHEXTAG flag. Attackers set a forum slug containing a closing script tag or unescaped single quote to break o...

Exploit for Cross-site Scripting in Phpmyadmin

CVE-2014-9219 CVE-2014-9219 XSS POC About The vulnerability...

EUVD-2019-0621

Malware in sbrugna...

Mozilla Firefox post-release reuse vulnerability (CNVD-2024-29333)

Mozilla Firefox is an open source web browser from the Mozilla Foundation in the United States. A post-release reuse vulnerability exists in versions prior to Mozilla Firefox 127, which can be exploited by an attacker to read memory in the JavaScript string portion of the heap...

UBUNTU-CVE-2024-5694

An attacker could have caused a use-after-free in the JavaScript engine to read memory in the JavaScript string section of the heap. This vulnerability affects Firefox 127...

Mozilla Firefox 安全漏洞

Mozilla Firefox is an open source web browser from the Mozilla Foundation in the United States. A post-release reuse vulnerability exists in versions prior to Mozilla Firefox 127, which can be exploited by an attacker to read memory in the JavaScript string portion of the heap...

CVE-2023-40472

PDF-XChange Editor JavaScript String Untrusted Pointer Dereference Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the targ...

RHCOS 4 / 9 : OpenShift Container Platform 4.13.3 (RHSA-2023:3536)

The remote Red Hat Enterprise Linux CoreOS 4 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:3536 advisory. - golang: net/http, net/textproto: denial of service from excessive memory allocation CVE-2023-24534 - golang: net/http,...

golang: html/template: backticks not treated as string delimiters

A flaw was found in Golang Go. This flaw allows a remote attacker to execute arbitrary code on the system, caused by not properly considering backticks as Javascript string delimiters. By sending a specially crafted request, an attacker execute arbitrary code on the system...

golang: html/template: backticks not treated as string delimiters

A flaw was found in Golang Go. This flaw allows a remote attacker to execute arbitrary code on the system, caused by not properly considering backticks as Javascript string delimiters. By sending a specially crafted request, an attacker execute arbitrary code on the system...

Important: golang

Issue Overview: RESERVED NOTE: https://groups.google.com/g/golang-announce/c/V0aBFqaFsE CVE-2022-41724 Golang: net/http, mime/multipart: denial of service from excessive resource consumption https://groups.google.com/g/golang-announce/c/V0aBFqaFsE CVE-2022-41725 The ScalarMult and ScalarBaseMult...

Security Bulletin: Vulnerabilities in Golang Go might affect IBM Spectrum Copy Data Management ( CVE-2023-24536, CVE-2023-24537, CVE-2023-24538)

Summary Vulnerabilities in Golang Go might affect IBM Spectrum Copy Data Management. Vulnerabilities include the execution of arbitrary code on the system, denial of service attack, as described by the CVEs in the "Vulnerability Details" section. Vulnerability Details CVEID:CVE-2023-24536...

Security Bulletin: Vulnerability in Golang Go could affect IBM CICS TX Advanced [CVE-2023-24538]

Summary CVE-2023-24538 may affect IBM CICS TX Advanced. IBM CICS TX Advanced has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2023-24538 DESCRIPTION: Golang Go could allow a remote attacker to execute arbitrary code on the system, caused by not properly consider backticks as...

SUSE SLES15 Security Update : go1.20 (SUSE-SU-2023:2105-2)

The remote SUSE Linux SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:2105-2 advisory. - HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service...