PT-2026-46684

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 149.0.7827.53 Description Script injection in the Accessibility component allows an attacker to inject arbitrary scripts or HTML, leading to Universal Cross-Site Scripting UXSS, which is a vulnerability that...

PT-2026-46445

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 149.0.7827.53 Description Insufficient validation of untrusted input in DevTools allows a remote attacker who has compromised the renderer process to inject arbitrary scripts or HTML, leading to Universal...

PT-2026-46649

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 149.0.7827.53 Description An inappropriate implementation in the Keyboard component allows a remote attacker to perform Universal Cross-Site Scripting UXSS, which is the ability to execute scripts across differe...

PT-2026-46713

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 149.0.7827.53 Description An inappropriate implementation in CSS allows a remote attacker to perform Universal Cross-Site Scripting UXSS, which is the ability to execute scripts across different origins, by usin...

PT-2026-45772

Name of the Vulnerable Software and Affected Versions Vivotek FD8136 version FD8136-VVTK-0300a Description A remote buffer overflow occurs in the admin interface. An authenticated attacker can exploit this to execute arbitrary code with root privileges on the device via the...

PT-2026-46590

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 149.0.7827.53 Description Insufficient policy enforcement in Extensions allows an attacker to inject scripts or HTML into a privileged page. This occurs when a user is convinced to install a crafted malicious...

PT-2026-46693

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 149.0.7827.53 Description An inappropriate implementation in SVG allows a remote attacker to perform Universal Cross-Site Scripting UXSS, which is the ability to execute scripts across different origins, by usin...

PT-2026-45879

Name of the Vulnerable Software and Affected Versions alf.io versions prior to 2.0-M5-2606 Description An authenticated administrator can execute arbitrary operating system commands on the server due to a sandbox escape in the extension script engine. The system is designed to run restricted...

Malicious Package

Overview @vpmdhaj/search-setup is a malicious package. This package contains malicious code, and its content has been removed from the official package manager. While this package typosquats well-known libraries to impersonate valid open-source ecosystems, there is no connection between those...

GHSA-2H32-95RG-CPPP Vitest browser mode serves unsanitized otelCarrier query parameter as inline script

Summary Vitest browser mode served /vitesttest/ with the otelCarrier query parameter inserted directly into an inline module script. Because this value was treated as JavaScript source rather than data, an attacker could craft a browser-runner URL that executes arbitrary JavaScript in the Vitest...

Vitest browser mode serves unsanitized otelCarrier query parameter as inline script

Summary Vitest browser mode served /vitesttest/ with the otelCarrier query parameter inserted directly into an inline module script. Because this value was treated as JavaScript source rather than data, an attacker could craft a browser-runner URL that executes arbitrary JavaScript in the Vitest...

Cross-site Scripting (XSS)

Overview dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of this package are vulnerable to Cross-site Scripting XSS through the HTML allowlist in dist/purify.cjs.js and related build artifacts. An attacker can inject a selectedcontent element into HTML, triggerin...

CVE-2026-10260 CodeAstro Online Job Portal delete-jobs.php sql injection

A vulnerability was detected in CodeAstro Online Job Portal 1.0. The impacted element is an unknown function of the file /admin/jobs-admins/delete-jobs.php. Performing a manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit is now...

MAL-2026-5120 Malicious code in redteam-qxz7-utils (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 855b67c0cf1aaed6f5e0ce3a67478a20cd4244c56424002feeeb0dea1a875848 During installation, the package exfiltrates cloud tokens from the environment. --- Category: MALICIOUS - The campaign has clearly malicious intent, like...

CVE-2026-10257 itsourcecode Content Management System update_ss_img.php sql injection

A security flaw has been discovered in itsourcecode Content Management System 1.0. This issue affects some unknown processing of the file /admin/updatessimg.php. The manipulation of the argument topicid results in sql injection. The attack can be executed remotely. The exploit has been released t...

EUVD-2026-33631

A vulnerability was detected in itsourcecode Online House Rental System 1.0. This impacts an unknown function of the file /managepayment.php. The manipulation of the argument ID results in sql injection. It is possible to launch the attack remotely. The exploit is now public and may be used...

CVE-2026-10252 itsourcecode Online House Rental System manage_tenant.php sql injection

A security vulnerability has been detected in itsourcecode Online House Rental System 1.0. This affects an unknown function of the file /managetenant.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed...

CVE-2026-10249 itsourcecode Online Blood Bank Management System viewrequest.php sql injection

A vulnerability was identified in itsourcecode Online Blood Bank Management System 1.0. Impacted is an unknown function of the file /admin/viewrequest.php. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might...

CVE-2026-25599 Missing authentication and clear‑text data transmission affecting Orca heat pumps

Missing authentication and clear‑text transmission of data from the heat pumps to the control server, combined with the absence of input validation on aggregated data, can lead to stored XSS that enables theft of cookies from the pump’s web control interface. Older Orca heat pump devices...

CVE-2026-40545

SOPlanning is vulnerable to Reflected XSS via the taches parameter. An attacker can craft a malicious URL which, when opened by authenticated victim, results in arbitrary JavaScript execution in the victim’s browser. This issue affects SOPlanning version 1.55 and below...