CVE-2026-8139

Concrete CMS versions 9.5.0 and earlier are vulnerable to stored XSS on the external-link page cvName due to updateCollectionAliasExternal bypassing sanitization. The issue is triggered by the sanitize bypass in updateCollectionAliasExternal, enabling stored scripts delivered to users. Affected p...

Cross-site Scripting (XSS)

Overview @umbraco-cms/backoffice is a This package contains the types for the Umbraco Backoffice. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the confirmation dialog element. An attacker can execute arbitrary scripts in the context of the affected application ...

GHSA-32Q2-HHR5-6QVV md-fileserver: Stored/Reflected XSS when viewing Markdown (raw HTML allowed)

Summary A cross-site scripting XSS vulnerability exists in the application’s Markdown rendering logic. When user-supplied Markdown content is rendered, embedded raw HTML—including tags—is processed and injected into the resulting page without sanitization, allowing arbitrary JavaScript execution ...

MAL-2026-4492 Malicious code in autoheal-dev-cli (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6e0f114cd638df1be1f2262e1b05dbe726cee5600a10be6d67be8ac8e1089f3d autoheal-dev-cli is a setup wizard bin/setup.js that, when run, performs three installer-harm actions against the developer running it: 1...

Malicious code in autoheal-dev-cli (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6e0f114cd638df1be1f2262e1b05dbe726cee5600a10be6d67be8ac8e1089f3d autoheal-dev-cli is a setup wizard bin/setup.js that, when run, performs three installer-harm actions against the developer running it: 1...

CVE-2026-1543

CVE-2026-1543 concerns the Avada (Fusion) Builder WordPress plugin. All versions up to and including 3.15.2 are affected by a Stored Cross-Site Scripting (XSS) flaw due to insufficient input sanitization and output escaping. The vulnerability can be exploited by an authenticated attacker with Sub...

EUVD-2026-31192

Mantis Bug Tracker MantisBT is an open source issue tracker. Versions 2.28.1 and below contain flawed logic that causes improper escaping of a textarea custom field's contents in the Update Issue page, bugupdatepage.php allowing an attacker to inject HTML and, if CSP settings permit, execute...

EUVD-2026-31185

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in streetview.php that allows authenticated attackers to inject arbitrary JavaScript by passing unsanitized values through the thelat and thelng GET parameters directly into JavaScript variable assignments...

CVE-2026-35008 Open ISES Tickets < 3.44.2 Reflected XSS via single.php ticket_id Parameter

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in single.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticketid GET parameter directly into an HTML attribute. Attackers can craft a...

CVE-2026-6405

The Anomify AI – Anomaly Detection and Alerting plugin for WordPress is vulnerable to Cross-Site Request Forgery CSRF leading to Stored Cross-Site Scripting XSS in versions up to and including 0.3.6. This is due to missing nonce verification on the settings page handler and insufficient output...

CVE-2026-6405

The Anomify AI – Anomaly Detection and Alerting plugin for WordPress is vulnerable to Cross-Site Request Forgery CSRF leading to Stored Cross-Site Scripting XSS in versions up to and including 0.3.6. This is due to missing nonce verification on the settings page handler and insufficient output...

Astra Linux - уязвимость в chromium

Insufficient policy enforcement in the WebView tag in Google Chrome prior to version 143.0.7499.192 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome Extension. Chromium security severity: High...

Astra Linux - уязвимость в chromium

Inappropriate implementation in the Extensions API in Google Chrome prior to 104.0.5112.101 allowed an attacker who convinced a user to install a malicious extension to inject arbitrary scripts into the WebUI through a crafted HTML page...

Astra Linux - уязвимость в chromium

Insufficient data validation in Extensions in Google Chrome prior to 115.0.5790.170 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome Extension. Chromium security severity: Medium...

Astra Linux - уязвимость в chromium

Insufficient data validation in Blink Editing in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to inject arbitrary scripts or HTML via a crafted HTML page...

Astra Linux - уязвимость в chromium

In DevTools in Google Chrome before version 126.0.6478.182, it was possible for an attacker to convince a user to install a malicious extension, allowing them to inject scripts or HTML into a privileged page through a crafted Chrome Extension. Chromium security severity: High...

Astra Linux - уязвимость в chromium

In incorrect security user interfaces of web app installations in Google Chrome on Android before version 90.0.4430.212, an attacker who convinced a user to install a web application could inject scripts or HTML into a privileged page through a crafted HTML page...

Astra Linux - уязвимость в firefox

Because Firefox did not implement the unsafe-hashes CSP directive, an attacker who was able to inject markup into a page otherwise protected by a Content Security Policy might have been able to inject executable scripts. This would be severely restricted by the specified Content Security Policy o...

Astra Linux - уязвимость в chromium

Inappropriate implementation in Extensions in Google Chrome prior to 115.0.5790.170 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome Extension. Chromium security severity: Medium...

Astra Linux - уязвимость в chromium

Insufficient validation of untrusted input in the Settings section of Google Chrome before version 104.0.5112.79 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page through a crafted HTML page...