CVE-2026-44353

Streamlink is a CLI utility which pipes video streams from various services into a video player. Prior to 8.4.0, Streamlink's HLS and DASH parsers do not validate the URI scheme of segment entries and other resources. A remote .m3u8 HLS playlist or .mpd DASH manifest can list file:///path/to/file...

XML External Entity (XXE) Injection

Overview org.opencms:opencms-core is a Java open source content management system by Alkacon Software. Affected versions of this package are vulnerable to XML External Entity XXE Injection via the XML parsing process when a declaration references an external host. An attacker can access sensitive...

XML External Entity (XXE) Injection

Overview Affected versions of this package are vulnerable to XML External Entity XXE Injection via the create method in the DictionaryEntryPersistor class, which initializes a SAXParserFactory without enabling FEATURESECUREPROCESSING or disabling DTD processing. An attacker can access local files...

Directory Traversal

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Directory Traversal via the outbound media handling. An attacker can access arbitrary local files by referencing host-local paths outside the intended media storage boundary in reply text...

CVE-2026-4345 Stored Cross-Site Scripting (XSS) Vulnerability in Design Name

A maliciously crafted HTML payload, stored in a design name and exported to CSV, can trigger a Stored Cross-site Scripting XSS vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context o...

Directory Traversal

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Directory Traversal via the extractToolResultMediaPaths process. An attacker can access and exfiltrate sensitive files from the system's temporary directory or other allowed local roots b...

XML External Entity (XXE) Injection

Overview Affected versions of this package are vulnerable to XML External Entity XXE Injection due to the DocumentBuilderFactory used in the XunitXmlPlugin.java file, which is used without disabling DTDs or external entities.. An attacker can access arbitrary files on the file system or initiate...

CSS Validator 安全漏洞

CSS Validator is a CSS Cascading Style Sheet validation program from the World Wide Web W3C organization. A security vulnerability exists in previous versions of CSS Validator cssval-20250226, which stems from a vulnerability that allows an attacker to force a server-side request forgery using a...

Zimbra Collaboration Suite 安全漏洞

Zimbra Collaboration Suite ZCS is an open source collaboration suite from Zimbra. The product includes WebMail, Calendar, Address Book and more. A security vulnerability exists in Zimbra Collaboration Suite ZCS versions 9.0, 10.0, and 10.1, which originates from a local file in an endpoint in the...

Improper Input Validation

Overview Affected versions of this package are vulnerable to Improper Input Validation via the makeFromUrl and makeFromAny methods. An attacker can read local files or perform server-side request forgery by supplying malicious URLs. PoC php / @var \Czim\FileHandling\Storage\File\StorableFileFacto...

Pyhtml2pdf Cross-Site Scripting Vulnerability

Pyhtml2pdf is a simple python wrapper from the Python Foundation. Convert HTML to PDF using headless Chrome via selenium. A cross-site scripting vulnerability exists in Pyhtml2pdf version 0.0.6, which stems from not validating user-entered HTML content, resulting in an attacker being able to obta...

VulnCheck KEV: CVE-2019-18426

A vulnerability in WhatsApp Desktop when paired with WhatsApp for iPhone allows cross-site scripting and local file reading...

chromium-browser: Local file information leak in Extensions

Insufficient enforcement of file access permission in the activeTab case in Extensions in Google Chrome prior to 68.0.3440.75 allowed an attacker who convinced a user to install a malicious extension to access files on the local file system via a crafted Chrome Extension...

JRE allows unauthorized file access and connections to localhost

Unspecified vulnerability in Java Runtime Environment JRE with Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; SDK and JRE 1.4.218 and earlier; and SDK and JRE 1.3.123 and earlier allows code that is loaded from a local filesystem to read arbitrary files and make...