5933 matches found
CVE-2026-33548
Mantis Bug Tracker MantisBT is an open source issue tracker. In version 2.28.0, improper escaping of tag names retrieved from History in Timeline myviewpage.php allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript, when displaying a tag that has...
CVE-2026-33517
Mantis Bug Tracker MantisBT is an open source issue tracker. In version 2.28.0, when deleting a Tag tagdelete.php, improper escaping of its name when displaying the confirmation message allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript. Versi...
CVE-2026-33517 MantisBT Vulnerable to Stored HTML Injection in Tag Delete Confirmation
Mantis Bug Tracker MantisBT is an open source issue tracker. In version 2.28.0, when deleting a Tag tagdelete.php, improper escaping of its name when displaying the confirmation message allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript. Versi...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via unsanitized processing of Bazaar package metadata. An attacker can execute arbitrary JavaScript code in the context of the application, potentially leading to remote code execution by submitting crafted...
PT-2026-27183
Name of the Vulnerable Software and Affected Versions Mantis Bug Tracker versions prior to 2.28.1 Description Mantis Bug Tracker version 2.28.0 contains a flaw due to improper escaping of tag names retrieved from History in the Timeline feature, specifically within the my view page.php file. This...
PT-2026-27182
Name of the Vulnerable Software and Affected Versions Mantis Bug Tracker versions prior to 2.28.1 Description Mantis Bug Tracker is an open source issue tracker. A flaw exists in version 2.28.0 where improper escaping of a tag name during the display of a confirmation message when deleting a tag...
CVE-2024-46879
A Reflected Cross-Site Scripting XSS vulnerability exists in the POST request data zipPath of tiki-adminsystem.php in Tiki version 21.2. This vulnerability allows attackers to execute arbitrary JavaScript code via a crafted payload, leading to potential access to sensitive information or...
CVE-2026-33172
Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.14 and 6.7.0, a stored XSS vulnerability in SVG asset reuploads allows authenticated users with asset upload permissions to bypass SVG sanitization and inject malicious JavaScript that executes when the...
CVE-2026-33140 PySpector: Stored XSS in PySpector HTML Report Generation leads to Javascript Code Execution
PySpector is a static analysis security testing SAST Framework engineered for modern Python development workflows. PySpector versions 0.1.6 and prior are affected by a stored Cross-Site Scripting XSS vulnerability in the HTML report generator. When PySpector scans a Python file containing...
EUVD-2026-13752
XinLiangCoder phpapidoc through commit 1ce5bbf contains a reflected cross-site scripting vulnerability in listmethod.php that allows remote attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious code through the f parameter. Attackers can craft a malicious URL with...
CVE-2026-32986
Textpattern CMS version 4.9.0 contains a second-order cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting improper sanitization of user-supplied input in Atom feed XML elements. Attackers can embed unescaped payloads in parameters such as category th...
CVE-2026-33035
WWBN AVideo is an open source video platform. In versions 25.0 and below, there is a reflected XSS vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser. User input from a URL parameter flows through PHP's jsonencode into a JavaScript function...
CVE-2026-33035
CVE-2026-33035 affects WWBN AVideo
CVE-2026-33035
WWBN AVideo is an open source video platform. In versions 25.0 and below, there is a reflected XSS vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser. User input from a URL parameter flows through PHP's jsonencode into a JavaScript function...
CVE-2026-30578
File Thinghie 2.5.7 is vulnerable to Cross Site Scripting XSS. A malicious user can leverage the "dir" parameter of the GET request to invoke arbitrary javascript code...
PT-2026-26651
XinLiangCoder php api doc through commit 1ce5bbf contains a reflected cross-site scripting vulnerability in list method.php that allows remote attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious code through the f parameter. Attackers can craft a malicious URL...
CVE-2026-32754
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Versions 1.8.208 and below are vulnerable to Stored Cross-Site Scripting XSS through FreeScout's email notification templates. Incoming email bodies are stored in the database without sanitization and rendered...
Server-side Request Forgery (SSRF)
Overview league/commonmark is a PHP-based Markdown parser which supports the full CommonMark spec. It is based on the CommonMark JS reference implementation. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the DomainFilteringAdapter process. An attacker ca...
Linux Distros Unpatched Vulnerability : CVE-2026-32722
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Memray is a memory profiler for Python. Prior to Memray 1.19.2, Memray rendered the command line of the tracked process directly into generated HTML reports...
CVE-2026-32722
Memray is a memory profiler for Python. Prior to Memray 1.19.2, Memray rendered the command line of the tracked process directly into generated HTML reports without escaping. Because there was no escaping, attacker-controlled command line arguments were inserted as raw HTML into the generated...