golang: net/url: Memory exhaustion in query parameter parsing in net/url

A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted...

CVE-2026-3049

A vulnerability was detected in horilla-opensource horilla up to 1.0.2. This issue affects the function get of the file horillagenerics/globalsearch.py of the component Query Parameter Handler. The manipulation of the argument prevurl results in open redirect. The attack can be executed remotely...

CVE-2026-3049 horilla-opensource horilla Query Parameter global_search.py get redirect

A vulnerability was detected in horilla-opensource horilla up to 1.0.2. This issue affects the function get of the file horillagenerics/globalsearch.py of the component Query Parameter Handler. The manipulation of the argument prevurl results in open redirect. The attack can be executed remotely...

EUVD-2026-7457

A vulnerability was detected in horilla-opensource horilla up to 1.0.2. This issue affects the function get of the file horillagenerics/globalsearch.py of the component Query Parameter Handler. The manipulation of the argument prevurl results in open redirect. The attack can be executed remotely...

PT-2026-21595

A vulnerability was detected in horilla-opensource horilla up to 1.0.2. This issue affects the function get of the file horilla generics/global search.py of the component Query Parameter Handler. The manipulation of the argument prev url results in open redirect. The attack can be executed...

RHEL 9 : golang (RHSA-2026:3193)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:3193 advisory. The golang packages provide the Go programming language compiler. Security Fixes: golang: archive/zip: Excessive CPU consumption when buildi...

Horilla 输入验证错误漏洞

Horilla is a free open-source human resources software developed by Horilla Company. Versions of Horilla 1.0.2 and earlier contained a vulnerability related to input validation errors. This vulnerability stemmed from incorrect handling of the parameter prevurl in the Query Parameter Handler...

CVE-2026-27503

SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in admin/log.php via the search query parameter. When an authenticated administrator views a crafted URL, the application embeds the unsanitized parameter value directly into an HTML input value attribute,...

SVXportal 安全漏洞

SVXportal is a portal website developed by Peter as an individual developer. Versions of SVXportal 2.5 and earlier contained security vulnerabilities. These vulnerabilities stemmed from the lack of validation for the search query parameter in the log.php file, which could lead to reflection-type...

PT-2026-21271

SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in log.php via the search query parameter. The application embeds the unsanitized parameter value directly into an HTML input value attribute, allowing an unauthenticated remote attacker to inject and execute...

Cross-site Scripting (XSS)

Overview org.opencms:opencms-core is a Java open source content management system by Alkacon Software. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the q parameter in the /search/index.html process. An attacker can execute arbitrary JavaScript code in a victim'...

CVE-2026-2736

Reflected Cross-site Scripting XSS in Alkacon's OpenCms v18.0, which allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL containing the ‘q’ parameter in ‘/search/index.html’. This vulnerability can be exploited to steal sensitive user...

CVE-2026-2736

Reflected Cross-site Scripting XSS in Alkacon's OpenCms v18.0, which allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL containing the ‘q’ parameter in ‘/search/index.html’. This vulnerability can be exploited to steal sensitive user...

CVE-2026-27176

MajorDoMo aka Major Domestic Module contains a reflected cross-site scripting XSS vulnerability in command.php. The $qry parameter is rendered directly into the HTML page without sanitization via htmlspecialchars, both in an input field value attribute and in a paragraph element. An attacker can...

CVE-2026-27176 MajorDoMo Reflected Cross-Site Scripting in command.php

MajorDoMo aka Major Domestic Module contains a reflected cross-site scripting XSS vulnerability in command.php. The $qry parameter is rendered directly into the HTML page without sanitization via htmlspecialchars, both in an input field value attribute and in a paragraph element. An attacker can...

MajorDoMo 跨站脚本漏洞

MajorDoMo is an open-source DIY smart home automation platform developed by the MajorDoMo community. MajorDoMo has a cross-site scripting vulnerability, which stems from the $qry parameter in the command.php file being rendered directly into the HTML page without proper cleaning. Attackers can...

CVE-2026-1721

Summary A Reflected Cross-Site Scripting XSS vulnerability was discovered in the AI Playground's OAuth callback handler. The errordescription query parameter was directly interpolated into an HTML script tag without proper escaping, allowing attackers to execute arbitrary JavaScript in the contex...

CVE-2026-23738 The Asterisk embedded web server 's /httpstatus page echos user supplied values(cookie and query string) without sanitization

Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, user supplied/control values for Cookies and any GET variable query Parameter are directly interpolated into the HTML of the page using aststrappend. The...

Reflected DOM-based Cross-Site Scripting (XSS)

gi-docgen is vulnerable to a reflected DOM-based Cross-Site Scripting XSS. The vulnerability is due to improper sanitization of user-supplied input in the q GET parameter, which allows an attacker to exploit it via a crafted URL to execute arbitrary JavaScript in the victim’s browser...

Google Go Denial of Service Vulnerability (CNVD-2026-10649)

Google Go is a static strongly typed, compiled, concatenated, and garbage-collected programming language from Google. A denial of service vulnerability exists in Google Go, which stems from an unrestricted number of query parameters, which can be exploited by an attacker to cause excessive memory...