Mozilla Thunderbird < 138.0.1

The version of Thunderbird installed on the remote Windows host is prior to 138.0.1. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2025-35 advisory. - It was possible to craft an email that showed a tracking link as an attachment. If the user attempted to open th...

Mozilla Thunderbird < 128.10.1

The version of Thunderbird installed on the remote macOS or Mac OS X host is prior to 128.10.1. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2025-34 advisory. - It was possible to craft an email that showed a tracking link as an attachment. If the user attempted...

Mozilla Thunderbird < 128.10.1

The version of Thunderbird installed on the remote Windows host is prior to 128.10.1. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2025-34 advisory. - It was possible to craft an email that showed a tracking link as an attachment. If the user attempted to open t...

Cross-site Scripting (XSS)

org.graylog2:graylog2-server is vulnerable to Cross-site Scripting XSS. The vulnerability is due to insufficient input sanitization due to improper handling of uploaded files that allows execution of arbitrary JavaScript in the frontend when accessed via the API browser...

firefox: thunderbird: Use-after-free triggered by XSLTProcessor

A flaw was found in Firefox. The Mozilla Foundation's Security Advisory describes the following issue: JavaScript code running while transforming a document with the XSLTProcessor could lead to a use-after-free...

PT-2025-21187

Name of the Vulnerable Software and Affected Versions: Thunderbird versions prior to 128.10.1 Thunderbird versions prior to 138.0.1 Description: The issue arises from Thunderbird's handling of the X-Mozilla-External-Attachment-URL header, which can be exploited to execute JavaScript in the file:/...

Security Vulnerabilities fixed in Thunderbird 128.10.1 — Mozilla

Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an invalid value "Spoofed Name [email protected] [email protected]", Thunderbird treats [email protected] as the...

Security Vulnerabilities fixed in Thunderbird 138.0.1 — Mozilla

Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an invalid value "Spoofed Name [email protected] [email protected]", Thunderbird treats [email protected] as the...

CVE-2025-40626

Reflected Cross-Site Scripting XSS vulnerability in AbanteCart v1.4.0, that could allow an attacker to execute JavaScript code in a victim's browser by sending the victim a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform...

CVE-2025-40627

Reflected Cross-Site Scripting XSS vulnerability in AbanteCart v1.4.0, that could allow an attacker to execute JavaScript code in a victim's browser by sending the victim a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform...

CVE-2025-40627 Reflected Cross-Site Scripting (XSS) in AbanteCart

Reflected Cross-Site Scripting XSS vulnerability in AbanteCart v1.4.0, that could allow an attacker to execute JavaScript code in a victim's browser by sending the victim a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform...

CVE-2025-40626 Reflected Cross-Site Scripting (XSS) in AbanteCart

Reflected Cross-Site Scripting XSS vulnerability in AbanteCart v1.4.0, that could allow an attacker to execute JavaScript code in a victim's browser by sending the victim a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform...

CVE-2025-40626 Reflected Cross-Site Scripting (XSS) in AbanteCart

Reflected Cross-Site Scripting XSS vulnerability in AbanteCart v1.4.0, that could allow an attacker to execute JavaScript code in a victim's browser by sending the victim a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform...

CVE-2025-3597 Firelight Lightbox < 2.3.15 - Contributor+ Stored XSS

The Firelight Lightbox WordPress plugin before 2.3.15 does not prevent users with post writing capabilities from executing arbitrary Javascript when the jQuery Metadata library is enabled. While this feature is meant to only be available to Pro version users, it can be activated in the free versi...

CVE-2025-3597

CVE-2025-3597 affects the Firelight Lightbox WordPress plugin for versions prior to 2.3.15. The vulnerability lets users with post-writing capabilities execute arbitrary Javascript when the jQuery Metadata library is enabled, a feature intended for Pro but which can be activated in the free versi...

PT-2025-20681 · WordPress +1 · Firelight Lightbox +1

Name of the Vulnerable Software and Affected Versions: Firelight Lightbox plugin for WordPress versions prior to 2.3.15 Description: The issue allows users with post writing capabilities to execute arbitrary JavaScript when the jQuery Metadata library is enabled. This feature is intended for Pro...

PT-2025-20694 · Unknown · Abantecart

Name of the Vulnerable Software and Affected Versions: AbanteCart version 1.4.0 Description: A Reflected Cross-Site Scripting XSS issue allows an attacker to execute JavaScript code in a victim's browser by sending a malicious URL. This can be exploited to steal sensitive user data, such as sessi...

CVE-2025-46824

The Discourse Code Review Plugin allows users to review GitHub commits on Discourse. Prior to commit eed3a80, an attacker can execute arbitrary JavaScript on users' browsers by posting links to malicious GitHub commits. This problem is patched in commit eed3a80 of the discourse-code-review plugin...

CVE-2025-1087

Kong Insomnia Desktop Application before 11.0.2 contains a template injection vulnerability that allows attackers to execute arbitrary code. The vulnerability exists due to insufficient validation of user-supplied input when processing template strings, which can lead to arbitrary JavaScript...

CVE-2025-1087

Kong Insomnia Desktop Application before 11.0.2 contains a template injection vulnerability that allows attackers to execute arbitrary code. The vulnerability exists due to insufficient validation of user-supplied input when processing template strings, which can lead to arbitrary JavaScript...