CVE-2026-8193

A weakness has been identified in Akaunting 3.1.21. This issue affects some unknown processing of the file config/dompdf.php of the component Invoice PDF Rendering. Executing a manipulation can lead to server-side request forgery. The attack may be launched remotely. The exploit has been made...

local-deep-research is Vulnerable to HTML Injection via Unescaped User Input in PDF Export (`pdf_service.py:_markdown_to_html`)

Summary PDFService.markdowntohtml constructs an HTML document by interpolating user-controlled values — specifically title sourced from research.title or research.query and metadata key-value pairs — directly into an f-string without any HTML escaping. An authenticated attacker can craft a resear...

Cross-site Scripting (XSS)

Overview local-deep-research is an AI-powered research assistant with deep, iterative analysis using LLMs and web searches Affected versions of this package are vulnerable to Cross-site Scripting XSS via the PDFService.markdowntohtml function. An attacker can cause the server to make unauthorized...

CVE-2026-8318

The vulnerability affects VectifyAI PageIndex (PDF Table of Contents Handler) specifically the toc_transformer in pageindex/page_index.py. The issue causes an infinite loop due to the underlying manipulation, and is described as exploitable remotely. The description notes rolling releases with no...

oxidize-pdf: NaN/inf bypass in colour content-stream emission causes PDF rejection (DoS)

Impact oxidize-pdf defines Color as a pub enum with public tuple-struct variants Rgbf64, f64, f64, Grayf64, and Cmykf64, f64, f64, f64. The constructors Color::rgb, Color::gray, and Color::cmyk clamp incoming components to 0.0, 1.0, but because the variants are pub, callers can construct values...

Improper Validation of Specified Quantity in Input

Overview Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input via the emission of non-finite color values in the content stream. An attacker can cause PDF viewers to reject the content stream, affected page, or entire document by supplying special...

Gotenberg: Server-Side Request Forgery via Chromium URL Endpoint with Redirect-Based Deny-List Bypass

A review of 4 published Gotenberg security advisories exposed an SSRF issue. GHSA-pjrr-jgp4-v2fm covers SSRF via the downloadFrom endpoint. GHSA-pcrp-7g9h-7qhp covers SSRF via the webhook endpoint. Neither advisory addresses SSRF through the primary Chromium URL-to-PDF conversion endpoint...

PT-2026-39661

Name of the Vulnerable Software and Affected Versions Gotenberg versions prior to 8.32.0 Description Gotenberg is a Docker-powered stateless API for PDF files. The Chromium URL-to-PDF endpoint '/forms/chromium/convert/url' lacks default protection against Server-Side Request Forgery SSRF for HTTP...

PT-2026-39893

Name of the Vulnerable Software and Affected Versions Local Deep Research versions prior to 1.6.0 Description The PDFService. markdown to html function constructs an HTML document by interpolating user-controlled values directly into an f-string without HTML escaping. Specifically, the title...

Unity Linux 20.1060e / 20.1070e Security Update: pdfbox (UTSA-2026-017627)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017627 advisory. In Apache PDFBox 1.8.0 to 1.8.15 and 2.0.0RC1 to 2.0.11, a carefully crafted PDF file can trigger an extremely long running computation when parsing the page tree...

Unity Linux 20.1060e / 20.1070e Security Update: ImageMagick (UTSA-2026-017623)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017623 advisory. In RestoreMSCWarning of /coders/pdf.c there are several areas where calls to GetPixelIndex could result in values outside the range of representable for the unsigned...

CyberThreat-Nlp-Intelligence-System

🛡️ CyberGuard AI — Cyber Threat Intelligence System An AI-p...

EUVD-2022-55974

WordPress Plugin Videos sync PDF 1.7.4 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by exploiting unsanitized nom, pdf, mp4, webm, and ogg parameters. Attackers can inject payloads like autofocus onfocus event handlers throug...

CVE-2022-50949

WordPress Plugin Videos sync PDF 1.7.4 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by exploiting unsanitized mov, pdf, mp4, webm, and ogg parameters. Attackers can inject payloads like autofocus onfocus event handlers throug...

CVE-2022-50949 WordPress Plugin Videos sync PDF 1.7.4 Stored XSS

WordPress Plugin Videos sync PDF 1.7.4 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by exploiting unsanitized mov, pdf, mp4, webm, and ogg parameters. Attackers can inject payloads like autofocus onfocus event handlers throug...

CVE-2022-50949

WordPress Plugin Videos sync PDF 1.7.4 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by exploiting unsanitized mov, pdf, mp4, webm, and ogg parameters. Attackers can inject payloads like autofocus onfocus event handlers throug...

CVE-2022-50949

The CVE-2022-50949 entry concerns WordPress Plugin Videos sync PDF 1.7.4, which contains a stored cross-site scripting (XSS) vulnerability in unsanitized parameters (nom, pdf, mp4, webm, ogg). Exploitation enables an authenticated attacker with low privileges to inject JavaScript via the plugin o...

PT-2026-39478

WordPress Plugin Videos sync PDF 1.7.4 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by exploiting unsanitized nom, pdf, mp4, webm, and ogg parameters. Attackers can inject payloads like autofocus onfocus event handlers throug...

WordPress plugin Videos sync PDF 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

CVE-2026-8193 Akaunting Invoice PDF Rendering dompdf.php server-side request forgery

A weakness has been identified in Akaunting 3.1.21. This issue affects some unknown processing of the file config/dompdf.php of the component Invoice PDF Rendering. Executing a manipulation can lead to server-side request forgery. The attack may be launched remotely. The exploit has been made...