CVE-2026-44746

Due to a reflected cross-site scripting XSS vulnerability in SAP NetWeaver JAVA JDBC Test Servlet, an unauthenticated attacker could craft a URL that embeds a malicious script. If a victim clicks this link, the injected input is processed during web page generation, resulting in the execution of...

EUVD-2026-35635

Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized write...

EUVD-2025-209233

An open redirect in Ascertia SigningHub User v10.0 allows attackers to redirect users to a malicious site via a crafted URL...

CVE-2026-4519

A flaw was found in Python. The webbrowser.open API, used to launch web browsers, does not properly sanitize input. This allows a remote attacker to craft a malicious URL containing leading dashes. When such a URL is opened, certain web browsers may interpret these dashes as command-line options,...

Updated yt-dlp packages fix security vulnerability

When yt-dlp's --netrc-cmd command-line option or netrccmd Python API parameter is used, an attacker could achieve arbitrary command injection on the user's system with a maliciously crafted URL...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the downloadFile function via the update-cache command. An attacker can cause disk exhaustion by supplying a malicious URI in the configuration, leading to unbounded downloads and...

GHSA-G3GW-Q23R-PGQM yt-dlp: Arbitrary Command Injection when using the `--netrc-cmd` option

Summary When yt-dlp's --netrc-cmd command-line option or netrccmd Python API parameter is used, an attacker could achieve arbitrary command injection on the user's system with a maliciously crafted URL. Impact yt-dlp maintainers assume the impact of this vulnerability to be high for anyone who us...

GHSA-WJ8P-JJ64-H7FF Arbitrary WASM Code Execution via AnnotationOverrideFlight Injection in Yoke ATC

Arbitrary WASM Code Execution via AnnotationOverrideFlight Injection in Yoke ATC This vulnerability exists in the Air Traffic Controller ATC component of Yoke, a Kubernetes deployment tool. It allows users with CR create/update permissions to execute arbitrary WASM code in the ATC controller...

CVE-2026-24128

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 7.0-milestone-2 through 16.10.11, 17.0.0-rc-1 through 17.4.4, and 17.5.0-rc-1 through 17.7.0 contain a reflected Cross-site Scripting XSS vulnerability, which allows an attacker to...

CVE-2025-53854

A reflected cross-site scripting xss vulnerability exists in the modifyHL7Route functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability...

CVE-2025-41081 Reflected Cross-Site Scripting (XSS) in IsMyGym

Reflected Cross-Site Scripting XSS vulnerability in IsMyGym by Zuinq Studio. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL with '/.php/'. This vulnerability can be exploited to steal sensitive user data, such as session...

CVE-2025-66401 MCP Watch has a Critical Command Injection in cloneRepo allows Remote Code Execution (RCE) via malicious URL

MCP Watch is a comprehensive security scanner for Model Context Protocol MCP servers. In 0.1.2 and earlier, the MCPScanner class contains a critical Command Injection vulnerability in the cloneRepo method. The application passes the user-supplied githubUrl argument directly to a system shell via...

Google Cloud Looker 安全漏洞

Google Cloud Looker is an online tool from Google USA for converting data into customizable and informative reports and dashboards. A security vulnerability exists in Google Cloud Looker that stems from a malicious URL construction issue that could lead to the execution of attacker-supplied scrip...

AndSoft e-TMS Cross-Site Scripting Vulnerability (CNVD-2025-23568)

AndSoft e-TMS is a logistics management software from AndSoft Spain. A cross-site scripting vulnerability exists in AndSoft e-TMS, which originates from a lack of effective filtering and escaping of user-supplied data in parameter l of the /clt/TRACKREQUEST.ASP file, which can be exploited by an...

EUVD-2025-24161

Malicious code in bioql PyPI...

EUVD-2025-32144

Malicious code in bioql PyPI...

CVE-2025-59767

Cross-site scripting XSS vulnerability reflected in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL. The relationship between parameter and assigned identifier is 'l, demo, demo2, TNTLOGIN, UO and...

PT-2025-40395

Name of the Vulnerable Software and Affected Versions AndSoft e-TMS version 25.03 Description A cross-site scripting issue exists that allows an attacker to execute JavaScript code in a victim's browser. This is achieved by sending a malicious URL. The vulnerability is reflected in the...

AndSoft e-TMS 跨站脚本漏洞

AndSoft e-TMS is a logistics management software from AndSoft Spain. AndSoft e-TMS suffers from a cross-site scripting vulnerability that stems from the lack of effective filtering and escaping of user-supplied data in the parameters l, demo, demo2, TNTLOGIN, UO, and SuppConn in the file...

CVE-2025-54925

CWE-918: Server-Side Request Forgery SSRF vulnerability exists that could cause unauthorized access to sensitive data when an attacker configures the application to access a malicious url...