334 matches found
Android App "RoboForm Password Manager" insufficient validation of Android intents
Overview Android App "RoboForm Password Manager" provided by Siber Systems, Inc. accepts intents from other applications to open relevant web pages e.g., login pages, but without sufficient URL validation, user confirmation nor notification. Insufficient UI Warning of Dangerous Operations CWE-357...
EUVD-2026-31200
Android App "RoboForm Password Manager" provided by Siber Systems, Inc. handles Android intents without sufficient URL validation, user confirmation nor notification. If a URL to some malicious web page is given through an intent, RoboForm may silently download files without user confirmation nor...
sidekiq-cron 安全漏洞
sidekiq-cron is an open-source scheduling plugin for tasks based on Cron expressions. Versions of sidekiq-cron 2.3.1 and earlier contain security vulnerabilities; these vulnerabilities stem from the possibility of cross-site scripting attacks caused by rendering malicious URLs through the cron.er...
Improper Encoding or Escaping of Output
Overview phpmyfaq/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the Utils::parseUrl function during comment rendering. An attacker can execute arbitrary JavaScript in the...
Astra Linux - уязвимость в ffmpeg, ffmpeg5
A flaw was discovered in FFmpeg’s DASH playlist support. This vulnerability allows for arbitrary HTTP GET requests to be made on behalf of the machine running FFmpeg, through a crafted DASH playlist containing malicious URLs...
python: Python: Command-line option injection in webbrowser.open() via crafted URLs
A flaw was found in Python. The webbrowser.open API, used to launch web browsers, does not properly sanitize input. This allows a remote attacker to craft a malicious URL containing leading dashes. When such a URL is opened, certain web browsers may interpret these dashes as command-line options,...
PT-2026-37152
Name of the Vulnerable Software and Affected Versions i18nextify versions prior to 4.0.8 Description The software substitutes key interpolation tokens within src and href attribute values using the raw string from i18next.t. The substitution logic in the replaceInside handler within src/localize....
SAP NetWeaver Application Server ABAP 输入验证错误漏洞
SAP NetWeaver Application Server ABAP is a platform used by SAP, a German company, for the operation and development of applications written in the ABAP language. There is an input validation vulnerability in SAP NetWeaver Application Server ABAP. This vulnerability stems from an open redirection...
PT-2026-31730
Joomla Solidres 2.13.3 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating multiple GET parameters including show, reviews, type id, distance, facilities, categories, prices, location, and Itemid. Attackers can...
PT-2026-31731
Joomla HikaShop 4.7.4 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating GET parameters in the product filter endpoint. Attackers can craft malicious URLs containing XSS payloads in the from option, from ctrl,...
SiYuan 代码注入漏洞
SiYuan is a privacy-oriented personal knowledge management system developed by SiYuan OpenSource. Versions of SiYuan prior to 3.6.2 contained a code injection vulnerability. This vulnerability stemmed from unvalidated malicious URLs in the Attribute View mAsse field, which could lead to stored-xs...
Exploit for Embedded Malicious Code in Aquasec Setup-Trivy
CVE-2026-33634-Scanner !License: MIThttps://img.shields.i...
GDTaller 跨站脚本漏洞
GDTaller is a digital certificate and electronic seal management system developed by the Spanish company GDTaller. GDTaller has a cross-site scripting vulnerability, which originates from the site parameter in the apprecuperarclave.php file. This vulnerability could allow attackers to execute...
CVE-2017-20219
Serviio PRO 1.8 DLNA Media Streaming Server contains a DOM-based cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads. Attackers can craft URLs with malicious input that is read from document.location and passed to...
PT-2026-25725
ZKTeco ZKBioSecurity 3.0 contains multiple reflected cross-site scripting vulnerabilities that allow attackers to execute arbitrary HTML and script code by injecting malicious payloads through unsanitized parameters in multiple scripts. Attackers can craft malicious URLs with XSS payloads in...
PT-2026-25048
A flaw was found in mirror-registry where an authenticated user can trick the system into accessing unintended internal or restricted systems by providing malicious web addresses. When the application processes these addresses, it automatically follows redirects without verifying the final...
EUVD-2026-9894
OpenClaw versions prior to 2026.2.15 contain a denial of service vulnerability in the webfetch tool that allows attackers to crash the Gateway process through memory exhaustion by parsing oversized or deeply nested HTML responses. Remote attackers can social-engineer users into fetching malicious...
CVE-2026-27756
SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a reflected cross-site scripting vulnerability in the management interface where user input is not properly encoded before output. Attackers can craft malicious URLs that execute arbitrary JavaScript in the web interface when...
PT-2026-22374
SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a reflected cross-site scripting vulnerability in the management interface where user input is not properly encoded before output. Attackers can craft malicious URLs that execute arbitrary JavaScript in the web interface when...
CVE-2026-24674
Open eClass (formerly GUnet eClass) is vulnerable to a Reflected XSS in multiple endpoints prior to version 4.2. The root cause is reflected XSS that allows an attacker to coerce authenticated users into executing arbitrary JavaScript via crafted URLs. Impact is to expose user context data and po...