OpenCats 访问控制错误漏洞

OpenCats is an open-source recruitment process management system developed by OpenCats. Version 0.9.4 of OpenCats contains a vulnerability related to access control. This vulnerability stems from a remote code execution flaw, allowing unauthenticated attackers to execute arbitrary commands by...

Aero CMS 代码注入漏洞

Aero CMS is a content management system developed by the American company Aero CMS. Version 0.0.1 of Aero CMS has a code injection vulnerability. This vulnerability stems from PHP code injection in the image parameter, which may allow authenticated attackers to execute arbitrary PHP code by...

CVE-2026-40470 Hackage package and doc upload stored XSS vulnerability

A critical XSS vulnerability affected hackage-server and hackage.haskell.org. HTML and JavaScript files provided in source packages or via the documentation upload facility were served as-is on the main hackage.haskell.org domain. As a consequence, when a user with latent HTTP credentials browses...

Flowise 代码问题漏洞

Flowise is an open-source tool developed by FlowiseAI, designed for easily building LLM applications. Prior to Flowise 3.1.0, there were code-related vulnerabilities. These vulnerabilities stemmed from the Chatflow configuration file upload settings, which could be modified to allow...

PT-2026-28445

Name of the Vulnerable Software and Affected Versions ByteDance Deer-Flow versions prior to commit 5dbb362 Description The software contains a stored cross-site scripting issue in the artifacts API. An attacker can execute arbitrary scripts by uploading malicious HTML or script content as...

CVE-2026-32536

Unrestricted Upload of File with Dangerous Type vulnerability in halfdata Green Downloads halfdata-paypal-green-downloads allows Using Malicious Files.This issue affects Green Downloads: from n/a through = 2.08...

BIT-PARSE-2026-31868 Parse Server has Stored XSS via file upload of HTML-renderable file types

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0 and 8.6.30, an attacker can upload a file with a file extension or content type that is not blocked by the default configuration of the Parse Server fileUpload.fileExtensions...

Microsoft Devices Pricing Program Code Issue Vulnerability

The Microsoft Devices Pricing Program is Microsoft's exclusive device purchasing and pricing mechanism for enterprise customers, partners, or select channels to enjoy customized pricing, terms of business, and support for volume purchases of Surface Series devices such as Surface Laptop, Surface...

CVE-2026-23802

Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine ai-engine allows Using Malicious Files.This issue affects AI Engine: from n/a through = 3.3.2...

CVE-2026-26272

HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, a stored cross-site scripting XSS vulnerability exists in the item attachment upload functionality. The application does not properly validate or restrict uploaded file types, allowing an authenticated user to upload...

CVE-2026-28274 Initiative Vulnerable to Token Theft via Stored XSS in Document Uploads

Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 are vulnerable to Stored Cross-Site Scripting XSS in the document upload functionality. Any user with upload permissions within the "Initiatives" section can upload a malicious .html or .htm file ...

CVE-2026-1458

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an unauthenticated user to cause denial of service by uploading malicious files...

CVE-2020-37103 DotNetNuke 9.5 - Persistent Cross-Site Scripting

DotNetNuke 9.5 contains a persistent cross-site scripting vulnerability that allows normal users to upload malicious XML files with executable scripts through journal tools. Attackers can upload XML files with XHTML namespace scripts to execute arbitrary JavaScript in users' browsers, potentially...

CVE-2020-37103

DotNetNuke 9.5 contains a persistent cross-site scripting (XSS) vulnerability that allows normal users to upload XML files with executable scripts via journal tools. This can cause arbitrary JavaScript to run in users’ browsers, potentially bypassing CSRF protections and enabling more damaging at...

CVE-2026-25156

HotCRP is conference review software. HotCRP versions from October 2025 through January 2026 delivered documents of all types with inline Content-Disposition, causing them to be rendered in the user’s browser rather than downloaded. The intended behavior was for only text/plain, application/pdf,...

WordPress plugin Blogzee code-related vulnerabilities

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that extends the...

IBM Concert 代码问题漏洞

IBM Concert is a new tool from International Business Machines IBM Inc. that uses generative AI to help manage complex cloud-native applications. IBM Concert suffers from a code issue vulnerability that stems from not validating the content of files uploaded to the web interface, which can be...

CVE-2025-55251

HCL AION is affected by an Unrestricted File Upload vulnerability. This can allow malicious file uploads, potentially resulting in unauthorized code execution or system compromise...

CVE-2025-52660

HCL AION is affected by an Unrestricted File Upload vulnerability. This can allow malicious file uploads, potentially resulting in unauthorized code execution or system compromise...

CVE-2025-55251 HCL AION is affected by an Unrestricted File Upload vulnerability

HCL AION is affected by an Unrestricted File Upload vulnerability. This can allow malicious file uploads, potentially resulting in unauthorized code execution or system compromise...