EUVD-2026-10714

RenderBlocking is a MediaWiki extension that allows interface administrators to specify render-blocking CSS and JavaScript. Prior to 0.1.1, there is Stored XSS in renderblocking-css with Inline Assets mode. $wgRenderBlockingInlineAssets = true and editsitecss user rights are required. This...

CVE-2026-30974 Copyparty volflag `nohtml` did not block javascript in svg files

Copyparty is a portable file server. Prior to v1.20.11., the nohtml config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images. A user with write-permission could upload an SVG containing embedded JavaScript, which would execute in the...

CVE-2025-11158

Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6, including 9.3.x and 8.3.x, do not restrict Groovy scripts in new PRPT reports published by users, allowing insertion of arbitrary scripts and leading to a RCE...

PT-2026-24506

The Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via PDF page labels in all versions up to, and including, 2.4.20 due to insufficient input sanitization and output escaping. This makes it possible for...

Hitachi Vantara Pentaho Data Integration & Analytics 安全漏洞

Hitachi Vantara Pentaho Data Integration & Analytics is a data integration and analysis system developed by Hitachi, Ltd. Versions of Hitachi Vantara Pentaho Data Integration & Analytics prior to 10.2.0.6, including 9.3.x and 8.3.x versions, have security vulnerabilities. These vulnerabilities st...

CVE-2025-11158 Hitachi Vantara Pentaho Data Integration & Analytics - Missing Authorization

Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6, including 9.3.x and 8.3.x, do not restrict Groovy scripts in new PRPT reports published by users, allowing insertion of arbitrary scripts and leading to a RCE...

CVE-2025-11158

Hitachi Vantara Pentaho Data Integration & Analytics is affected by CVE-2025-11158 in versions before 10.2.0.6, including 9.3.x and 8.3.x. The root cause is failure to restrict Groovy scripts in new PRPT reports published by users, allowing insertion of arbitrary scripts and leading to a remote c...

CVE-2025-11158 Hitachi Vantara Pentaho Data Integration & Analytics - Missing Authorization

Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6, including 9.3.x and 8.3.x, do not restrict Groovy scripts in new PRPT reports published by users, allowing insertion of arbitrary scripts and leading to a RCE...

EUVD-2026-10339

Malicious scripts could display attacker-controlled web content under spoofed domains in Focus for iOS by stalling a self navigation to an invalid port and triggering an iframe redirect, causing the UI to display a trusted domain without user interaction. This vulnerability affects Focus for iOS...

EUVD-2026-10338

Malicious scripts could display attacker-controlled web content under spoofed domains in Focus for iOS by stalling a self navigation to an invalid port and triggering an iframe redirect, causing the UI to display a trusted domain without user interaction. This vulnerability affects Focus for iOS...

Exploit for Deserialization of Untrusted Data in Microsoft

CVE-2025-59287 — WSUS Unauthenticated RCE Purple team exercis...

Mozilla Firefox Focus for iOS 安全漏洞

Mozilla Firefox Focus for iOS is a privacy browser designed specifically for iOS devices by the Mozilla Foundation in the United States. Versions of Mozilla Firefox Focus for iOS prior to 148.2 contained a security vulnerability. This vulnerability allowed malicious scripts to display web content...

PT-2026-24134

Name of the Vulnerable Software and Affected Versions Hitachi Vantara Pentaho Data Integration & Analytics versions prior to 10.2.0.6 Hitachi Vantara Pentaho Data Integration & Analytics versions 8.3.x Hitachi Vantara Pentaho Data Integration & Analytics versions 9.3.x Description The software do...

SUSE-SU-2026:0848-1 Security update for valkey

This update for valkey fixes the following issues: Update to version 8.0.7. Security issues fixed: - CVE-2025-67733: data tampering and denial of service via improper null character handling in Lua scripts bsc1258746. - CVE-2026-21863: denial of service via invalid clusterbus packet bsc1258788...

PT-2026-23845

The Show YouTube video plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'syv' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

PT-2026-23839

The Wueen plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wueen-blocket shortcode in all versions up to, and including, 0.2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

Multi-Stage VOID#GEIST Malware Delivering XWorm, AsyncRAT, and Xeno RAT

Cybersecurity researchers have disclosed details of a multi-stage malware campaign that uses batch scripts as a pathway to deliver various encrypted remote access trojan RATs payloads that correspond to XWorm, AsyncRAT, and Xeno RAT. The stealthy attack chain has been codenamed VOIDGEIST by...

Malicious code in fastapi-requests (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 8e414a858711540d25b63ced50114d396e150157b65a70056beccc38948a4199 The package clones a legitimate library and contains hidden code that executes remote scripts. During the analysis, the remote code was no longer available ---...

MAL-2026-1260 Malicious code in webmd-url (npm)

Package exfiltrates data via pre/postinstall scripts, and has a suspicious main entrypoint targeting MongoDB configurations. Package extracts data like username, hostname and current working directory and sends it to malicious domain http://4v6heh2m.requestrepo.com/depconf/webmd-url/ --- -= Per...

PT-2026-23787

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.0.13 Description Flowise has a flaw where the /api/v1/attachments/:chatflowId/:chatId endpoint allows unauthenticated access to the file upload API because it is included in the WHITELIST URLS. The server trusts the...