PT-2026-46895

Stored XSS via Hostile YouTube Video Title in AVideo YouTubeAPI Gallery Section Summary A stored Cross-Site Scripting vulnerability CWE-79; chained CWE-829, Inclusion of Functionality from Untrusted Control Sphere in the AVideo YouTubeAPI plugin renders the snippet.title field returned by the...

PT-2026-46858

Summary AVideo stores category descriptions from user input and later renders category description as raw HTML in the Gallery view. A user who can create or edit categories can store JavaScript in a category description, which executes when another user views the affected Gallery/category page...

Linux Distros Unpatched Vulnerability : CVE-2026-42321

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - GLPI is a free asset and IT management software package. Starting in version 10.0.4 and prior to version 10.0.25, a technician can store an XSS payload in the...

PT-2026-46207

Live Chat Unlimited 2.8.3 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the chat input field. Attackers can submit payloads containing script tags and event handlers that execute in the admin area, enabling cookie...

PT-2026-46293

Name of the Vulnerable Software and Affected Versions Neterbit NW-431F Router versions prior to 20241014-IR03 Description The SMS module contains a stored Cross-Site Scripting XSS issue, where the application fails to properly sanitize user input within SMS messages before they are stored and...

CVE-2025-67448

The SMS module in Neterbit NW-431F Router 20241014-IR03 and before is vulnerable to stored XSS. The application does not properly sanitize user input in SMS messages before storing and displaying them. An attacker can send an SMS containing a malicious XSS payload, which will be executed in the...

PT-2026-46391

IRIS is a web collaborative platform that helps incident responders share technical details during investigations. In versions prior to 2.4.28, users can create alerts for customers that are not assigned to them. This can be abused to falsely attribute fake alerts to customers. In combination wit...

CVE-2025-65640

The CVE-2025-65640 issue affects Arket Globe Document Intelligence 5.0.0.559 (Task in Progress / Recent page). It is a Cross Site Scripting (XSS) vulnerability caused by improper sanitization/escaping of user input in text fields when creating a new document, allowing injected JavaScript to run i...

PT-2026-46185

HCL iControl was affected by Missing Security Headers vulnerability. which lead to cross-site scripting XSS attacks by enabling the built-in XSS filtering mechanisms of modern web browsers...

PT-2026-46312

Name of the Vulnerable Software and Affected Versions Arket Globe Document Intelligence version 5.0.0.559 Description Cross Site Scripting XSS occurs in the "Task in Progress / Recent" page due to improper sanitization of user input in text fields during the creation of a new document. An...

PT-2026-46209

GigToDo 1.3 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript and HTML code through the proposal description field. Attackers can craft XSS payloads in the create proposal endpoint that execute when administrators or other...

Fedora 43 : roundcubemail (2026-07ee097ffe)

The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-07ee097ffe advisory. Release 1.6.16 - Fix potential too long value in IMAP ID command 10136 - Security: Fix stored XSS/HTML/CSS injection in subject field of the draft...

CVE-2025-65640

Cross Site Scripting XSS vulnerability in the "Task in Progress / Recent" page in Arket Globe Document Intelligence 5.0.0.559 due to improper sanitization of user input in text fields when creating a new document. Specifically, when an authenticated attacker submits data containing JavaScript cod...

PT-2026-46214

WordPress Popup Builder 3.49 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by breaking out of option tags in the post title parameter. Attackers can submit crafted POST requests to the post.php endpoint with script payload...

PT-2026-46891

SVG files are in the allowed extensions whitelist and can be uploaded by any admin user via the media manager. There is zero SVG content sanitization anywhere in the upload pipeline. A malicious SVG with JavaScript onload, , executes in the context of the Shopware domain when accessed. The Proble...

(Pwn2Own) Microsoft Edge Navigation Handling Universal Cross-Site Scripting Vulnerability

This vulnerability allows remote attackers to execute arbitrary cross-origin script on affected installations of Microsoft Edge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the...

CVE-2025-65640

Cross Site Scripting XSS vulnerability in the "Task in Progress / Recent" page in Arket Globe Document Intelligence 5.0.0.559 due to improper sanitization of user input in text fields when creating a new document. Specifically, when an authenticated attacker submits data containing JavaScript cod...

ALSA-2026:23388 Important: php security update

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Security Fixes: PHP: PHP: Denial of Service via improper handling of signed characters in ctype functions CVE-2026-7258 PHP: PHP-FPM: PHP-FPM: Cross-Site Scripting vulnerability via improper URL sanitation...

CVE-2025-67448

The SMS module in Neterbit NW-431F Router 20241014-IR03 and before is vulnerable to stored XSS. The application does not properly sanitize user input in SMS messages before storing and displaying them. An attacker can send an SMS containing a malicious XSS payload, which will be executed in the...

JetBrains TeamCity < 2025.11.5 Multiple Vulnerabilities

The version of JetBrains TeamCity installed on the remote host is prior to 2025.11.5. It is, therefore, affected by multiple vulnerabilities: - In JetBrains TeamCity before 2026.1, 2025.11.5 authenticated users could expose server API to unauthorised access CVE-2026-44413 - In JetBrains TeamCity...