Automotive Grade Linux app-framework-binder 安全漏洞

Automotive Grade Linux app-framework-binder is an application framework communication component from Automotive Grade Linux, Inc. A security vulnerability exists in Automotive Grade Linux app-framework-binder version 19.90.0 and earlier, which stems from the existence of elevation of privilege in...

EUVD-2026-26667

Cross-Site Scripting XSS in V2Board thru 1.7.4. The customhtml field in theme configuration is rendered using Blade unescaped output in public/theme/v2board/dashboard.blade.php. An admin can inject arbitrary JavaScript via the saveThemeConfig API. All site visitors execute the payload, enabling...

CVE-2026-37503

CVE-2026-37503 affects V2Board up to version 1.7.4. The vulnerability arises from rendering the custom_html field in theme configuration with unescaped Blade output in public/theme/v2board/dashboard.blade.php. An admin can inject arbitrary JavaScript via the saveThemeConfig API, which is then exe...

PT-2026-36527

Name of the Vulnerable Software and Affected Versions GSVoIP web panel version 2.0.90 Description A Cross-Site Scripting XSS issue exists where the /painel/gateways.php/error endpoint fails to properly sanitize user-supplied input in the msg parameter. This allows a remote attacker to inject...

CVE-2026-40685

In Exim before 4.99.2, when JSON lookup is enabled, an out-of-bounds heap write can occur when a JSON operator encounters malformed JSON in an untrusted header, because of an incorrect implementation of \ skipping...

CVE-2026-35569

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in SEO-related fields SEO Title and Meta Description, where user-controlled input is rendered without proper output encoding into HTML contexts includin...

Exploit for CVE-2025-69606

CVE-2025-69606 — Reflected XSS in GSVoIP Web Panel Severi...

CVE-2026-7429 SSCMS v7.4.0 Reflected Cross-Site Scripting via STL Processing

SSCMS v7.4.0 contains a reflected cross-site scripting vulnerability in the STL processing endpoint that allows attackers to execute arbitrary JavaScript by crafting malicious STL template payloads that are decrypted and returned without proper sanitization. Attackers can exploit improper output...

Incorrect Authorization

Overview @clerk/clerk-js is a Clerk JS library Affected versions of this package are vulnerable to Incorrect Authorization through the createProtect and createCheckAuthorization functions. An attacker can gain access to protected pages or handlers by supplying a single auth.protect or has call th...

firefox security update

An update is available for firefox. This update affects Rocky Linux 8. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Mozilla Firefox is an open-source web browser, designed for standards...

PyTorch Lightning and Intercom-client Hit in Supply Chain Attacks to Steal Credentials

In yet another software supply chain attack, threat actors have managed to compromise the popular Python package Lightning to push two malicious versions to conduct credential theft. According to Aikido Security, OX Security, Socket, and StepSecurity, the two malicious versions are versions 2.6.2...

firefox: thunderbird: Invalid pointer in the JavaScript: WebAssembly component

A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: Invalid pointer in the JavaScript: WebAssembly component...

Important: Red Hat Security Advisory: thunderbird security update

An update for thunderbird is now available for Red Hat Enterprise Linux 10. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability...

firefox: thunderbird: Use-after-free in the JavaScript Engine component

A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: Use-after-free in the JavaScript Engine component...

CVE-2025-14576

Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of...

EUVD-2025-209594

Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection via the VectorImage component when a user is tricked into loading a specially crafted SVG file. An attacker can execute arbitrary QML or JavaScript code by embedding malicious payloads within the SVG, potentiall...

CVE-2025-14576 Possible QML code injection in VectorImage component

Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of...

[SECURITY] Fedora 42 Update: binaryen-126-1.fc42

Binaryen is a compiler and toolchain infrastructure library for WebAssembly, written in C++. It aims to make compiling to WebAssembly easy, fast, and effective: Easy: Binaryen has a simple C API in a single header, and can also be used from JavaScript. It accepts input in WebAssembly-like form bu...

SSCMS 跨站脚本漏洞

SSCMS SiteServerCMS is a content management system developed by SSCMS Corporation in China. Version 7.4.0 of SSCMS contains a cross-site scripting vulnerability. This vulnerability stems from STL processing of endpoint scenarios involving reflective cross-site scripts. It may allow attackers to...