OSV-2026-764 Heap-use-after-free in JS_DefineProperty

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=513811188 Crash type: Heap-use-after-free READ 8 Crash state: JSDefineProperty buildbacktrace JSCallInternal...

Mattermost 跨站脚本漏洞

Mattermost is an open-source collaboration platform developed by the American company Mattermost. Versions of Mattermost such as 11.5.1 and earlier 11.5.x series as well as 10.11.13 and earlier 10.11.x series have a cross-site scripting vulnerability. This vulnerability arises from variables that...

CVE-2026-29964

HSC MailInspector v5.3.3-7 contains a Cross-Site Scripting XSS vulnerability in the /tap/tap.php endpoint due to improper neutralization of user-controlled input using alternate or obfuscated JavaScript syntax. The endpoint reflects unsanitized user input in HTTP responses without adequate output...

PT-2026-41641

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to escape some variables that could contain malicious content during error page composition which allows an attacker with access to edit some site configuration to execute some malicious code via injecting some JS as part of those...

CVE-2026-26462

Offline Hospital Management System 5.3.0 allows remote code execution due to an improper Electron renderer configuration. The application enables Node.js integration while disabling context isolation, allowing JavaScript executed in the renderer process to access Node.js APIs and execute arbitrar...

Joern 4.0.540

Joern is the bug hunter's workbench. With this tool, you can uncover attack surface, sloppy coding practices, and variants of known vulnerabilities using an interactive code analysis shell. Joern supports C, C++, LLVM bitcode, x86 binaries via Ghidra, JVM bytecode via Soot, and Javascript...

CVE-2026-29965

HSC MailInspector 5.3.3-7 is vulnerable to Cross Site Scripting XSS in the /police/WarningUrlPage.php endpoint due to improper neutralization of user-supplied input that uses alternate or obfuscated JavaScript syntax...

EUVD-2026-30784

HSC MailInspector v5.3.3-7 contains a Cross-Site Scripting XSS vulnerability in the /tap/tap.php endpoint due to improper neutralization of user-controlled input using alternate or obfuscated JavaScript syntax. The endpoint reflects unsanitized user input in HTTP responses without adequate output...

PT-2026-41797

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.38.1 Description The V1 Views API endpoint "/api/views" accepts a calculation parameter in the request body that is interpolated directly into a CouchDB reduce function definition without validation. While an...

Linux Distros Unpatched Vulnerability : CVE-2026-23926

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An authenticated non-super administrator can create a maintenance period with a JavaScript payload that is executed by any user that opens tooltip for that...

EUVD-2026-30782

HSC MailInspector 5.3.3-7 is vulnerable to Cross Site Scripting XSS in the /police/WarningUrlPage.php endpoint due to improper neutralization of user-supplied input that uses alternate or obfuscated JavaScript syntax...

PT-2026-41708

HSC MailInspector 5.3.3-7 is vulnerable to Cross Site Scripting XSS in the /police/WarningUrlPage.php endpoint due to improper neutralization of user-supplied input that uses alternate or obfuscated JavaScript syntax...

CVE-2026-8769

CVE-2026-8769 affects vercel ai up to 3.0.97, specifically the provider-utils file response-handler.ts (functions createJsonResponseHandler and createJsonErrorResponseHandler). The issue enables resource consumption that can be triggered remotely; exploit publicly disclosed. Details on affected v...

CVE-2018-25331 Zenar Content Management System Cross-Site Scripting via ajax.php

Zenar Content Management System contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating form parameters in POST requests. Attackers can inject script tags through the currentpage parameter sent to the ajax.php endpoint, which...

qs 代码问题漏洞

QS is a JavaScript library developed by Jordan Harband. Versions of QS from 6.11.1 to 6.15.2 had code vulnerabilities. This vulnerability occurred when calling qs.stringify on an array containing null or undefined, with arrayFormat set to comma and encodeValuesOnly set to true. This resulted in a...

CVE-2020-37240

Queue Management System 4.0.0 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through user creation fields. Attackers can insert JavaScript payloads in the First Name, Last Name, and Email fields during user creation, which...

CVE-2021-47981 Quick.CMS 6.7 Cross-Site Scripting via CSRF to Sliders Form

Quick.CMS 6.7 contains a cross-site scripting vulnerability in the sliders form that allows authenticated attackers to inject malicious scripts by submitting XSS payloads through the sDescription parameter. Attackers can craft CSRF forms targeting the admin.php?p=sliders-form endpoint to execute...

CVE-2021-47981

Quick.CMS 6.7 contains a cross-site scripting vulnerability in the sliders form that allows authenticated attackers to inject malicious scripts by submitting XSS payloads through the sDescription parameter. Attackers can craft CSRF forms targeting the admin.php?p=sliders-form endpoint to execute...

EUVD-2020-31236

NewsLister contains an authenticated persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through the title parameter in the news addition interface. Attackers can inject JavaScript payloads via the title field in the admin panel that...

CVE-2020-37236

CVE-2020-37236 describes an authenticated persistent cross-site scripting vulnerability in NewsLister. Authenticated administrators can inject JavaScript via the title parameter in the news addition interface, with payloads executing when news items are viewed by other users. The CVE has a CVSS v...