Lucene search
K

4 matches found

EUVD
EUVD
added 3 days ago5 views

EUVD-2026-40359

SeaweedFS before 4.30 reflects the callback query parameter verbatim into responses served with Content-Type application/javascript in the shared writeJson helper weed/server/common.go, with no callback-name validation, no X-Content-Type-Options: nosniff header, and no CORS allow-list. Every JSON...

3.1CVSS5.7AI score0.0021EPSS
Exploits0References5
OSV
OSV
added 2026/04/13 7:23 p.m.3 views

GHSA-9PR4-RF97-79QH Note Mark has Stored XSS via Unrestricted Asset Upload

Summary A stored same-origin XSS vulnerability allows any authenticated user to upload an HTML, SVG, or XHTML file as a note asset and have it executed in a victim’s browser under the application’s origin. Because the application serves these files inline without a safe content type and without...

8.7CVSS5.8AI score0.00309EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/04/13 7:23 p.m.6 views

Note Mark has Stored XSS via Unrestricted Asset Upload

Summary A stored same-origin XSS vulnerability allows any authenticated user to upload an HTML, SVG, or XHTML file as a note asset and have it executed in a victim’s browser under the application’s origin. Because the application serves these files inline without a safe content type and without...

8.7CVSS5.8AI score0.00309EPSS
Exploits0References5Affected Software1
RedhatCVE
RedhatCVE
added 2026/02/24 10:42 p.m.11 views

CVE-2026-27512

Shenzhen Tenda F3 Wireless Router firmware V12.01.01.55multi contains a content-type confusion vulnerability in the administrative interface. Responses omit the X-Content-Type-Options: nosniff header and include attacker-influenced content that can be reflected into the response body. Under...

6.1CVSS5.7AI score0.00183EPSS
Exploits0References1
Rows per page
Query Builder