CVE-2026-42224

ipl/web is a set of common web components for php projects. Prior to versions 0.13.1 and 0.10.3, the vulnerability allows an attacker to inject malicious Javascript into a victim's browser to run it in the context of Icinga Web. The victim needs to visit a specifically prepared website and may ha...

CVE-2026-7936

An object lifecycle issue flaw was found in the V8 component of the Chromium browser. Upstream bugs: https://code.google.com/p/chromium/issues/detail?id=490485402...

Cross-site Scripting (XSS)

Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the notes field of the component checkout process. An attacker can execute arbitrary JavaScript code in the context of another user by submitting...

Cross-site Scripting (XSS)

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Cross-site Scripting XSS in the rendering process of the pending user overlay content due to improper sanitization order. An attacker can execute arbitrary JavaScript in the browser context of affected users ...

CVE-2026-42343 FastGPT: Uncontrolled Resource Consumption leading to Sandbox Exhaustion

FastGPT is an AI Agent building platform. In versions 4.14.13 and prior, the code-sandbox component suffers from insufficient resource isolation and uncontrolled resource consumption. The service relies solely on an application-level soft limit a 500ms polling interval for memory management and...

EUVD-2026-28853

FastGPT is an AI Agent building platform. In versions 4.14.13 and prior, the code-sandbox component suffers from insufficient resource isolation and uncontrolled resource consumption. The service relies solely on an application-level soft limit a 500ms polling interval for memory management and...

Cross-site Scripting (XSS)

Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the dataheadertitle parameter in the admin panel. An attacker can execute arbitrary JavaScript code in the contex...

Cross-site Scripting (XSS)

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Cross-site Scripting XSS in the sanitizeResponseContent process. An attacker can execute arbitrary JavaScript in the browser of another user by crafting a malicious model description containing a markdown lin...

open-webui Vulnerable to Stored XSS via Model Description

!IMPORTANT Relationship to CVE-2024-7990 CVE-2024-7990 issued by huntr.dev, March 2025 describes a stored XSS in the same field — the model description — but exploits a different bypass mechanism: a second-order injection through the sanitizeResponseContent function's video-tag placeholder...

GHSA-GF5M-WCRH-7928 open-webui Vulnerable to Stored XSS via Model Description

!IMPORTANT Relationship to CVE-2024-7990 CVE-2024-7990 issued by huntr.dev, March 2025 describes a stored XSS in the same field — the model description — but exploits a different bypass mechanism: a second-order injection through the sanitizeResponseContent function's video-tag placeholder...

EUVD-2026-28512

Electerm runWidget has a path traversal that leads to arbitrary code execution...

absinthe_plug Has a Cross-site Scripting vulnerability

Improper Neutralization of Input During Web Page Generation XSS vulnerability in absinthe-graphql absintheplug allows reflected cross-site scripting via the GraphiQL interface. 'Elixir.Absinthe.Plug.GraphiQL':jsescape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the...

CVE-2026-42794

Improper Neutralization of Input During Web Page Generation XSS vulnerability in absinthe-graphql absintheplug allows reflected cross-site scripting via the GraphiQL interface. 'Elixir.Absinthe.Plug.GraphiQL':jsescape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the...

GHSA-9QJ6-QJGG-37QQ vm2 has sandbox breakout via `neutralizeArraySpeciesBatch`

Summary VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. Details The new method neutralizeArraySpeciesBatch works with objects from the other side but can call into this...

CVE-2026-42794 Reflected XSS via backslash bypass in GraphiQL js_escape in absinthe_plug

Improper Neutralization of Input During Web Page Generation XSS vulnerability in absinthe-graphql absintheplug allows reflected cross-site scripting via the GraphiQL interface. 'Elixir.Absinthe.Plug.GraphiQL':jsescape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the...

CVE-2026-42794 Reflected XSS via backslash bypass in GraphiQL js_escape in absinthe_plug

Improper Neutralization of Input During Web Page Generation XSS vulnerability in absinthe-graphql absintheplug allows reflected cross-site scripting via the GraphiQL interface. 'Elixir.Absinthe.Plug.GraphiQL':jsescape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the...

EEF-CVE-2026-42794 Reflected XSS via backslash bypass in GraphiQL js_escape in absinthe_plug

Summary Improper Neutralization of Input During Web Page Generation XSS vulnerability in absinthe-graphql absintheplug allows reflected cross-site scripting via the GraphiQL interface. 'Elixir.Absinthe.Plug.GraphiQL':jsescape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines i...

CVE-2026-42794

CVE-2026-42794 is a reflected XSS in absinthe_plug via GraphiQL. The function Elixir.Absinthe.Plug.GraphiQL:js_escape/1 escapes single quotes and newlines in the query GET parameter but does not escape backslashes, enabling an attacker to prefix a quote with a backslash (e.g., ") to break out of ...

EUVD-2026-28792

18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Versions prior to 3.9.3 allow an unauthenticated HTTP client to pollute Object.prototype in the Node.js process hosting the middleware, via two unvalidated entry points that...

CVE-2026-41585

ZEBRA’s JSON-RPC HTTP middleware is vulnerable to Denial of Service via interrupted requests. Affected: zebrad 2.2.0–<4.3.1 and zebra-rpc 1.0.0-beta.45–