CVE-2021-47931 Exponent CMS 2.6 Multiple Vulnerabilities Stored XSS Authentication

Exponent CMS 2.6 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the Title and Text Block parameters in the text editing endpoint. Attackers can inject iframe payloads with embedded SVG onload events to execute arbitrary...

CVE-2022-50945 WordPress 3dady Real-Time Web Stats 1.0 Stored XSS

WordPress 3dady Real-Time Web Stats plugin 1.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by exploiting unsanitized input fields. Attackers can insert JavaScript payloads in the dadyinputtext or dady2inputtext fields via...

CVE-2022-50945

WordPress 3dady Real-Time Web Stats plugin 1.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by exploiting unsanitized input fields. Attackers can insert JavaScript payloads in the dadyinputtext or dady2inputtext fields via...

openSUSE 16 Security Update : perl-Text-CSV_XS (openSUSE-SU-2026:20708-1)

The remote openSUSE 16 host has a package installed that is affected by a vulnerability as referenced in the openSUSE- SU-2026:20708-1 advisory. This update for perl-Text-CSVXS fixes the following issue: - CVE-2026-7111: use-after-free when registered callbacks extend the Perl argument stack may...

PT-2026-39522

WordPress GetPaid Plugin 2.4.6 contains an HTML injection vulnerability that allows authenticated attackers to inject arbitrary HTML code by exploiting the Help Text field in payment forms. Attackers can inject malicious HTML including image tags and scripts into the Help Text field during paymen...

PT-2026-39507

Exponent CMS 2.6 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the Title and Text Block parameters in the text editing endpoint. Attackers can inject iframe payloads with embedded SVG onload events to execute arbitrary...

Exponent CMS 跨站脚本漏洞

Exponent CMS is a website content management system provided by the Exponent company, offering capabilities for page management and modular content editing. Version 2.6 of Exponent CMS contains a cross-site scripting vulnerability. This vulnerability stems from storage-based cross-site scripting...

OESA-2026-2231 uriparser security update

The package is a strictly RFC 3986 compliant URI parsing library written in C89"ANSI C". uriparser is cross-platform, fast, supports Unicode and is licensed under the New BSD license. There are a number of applications, libraries and hardware using uriparser, as well as bindings and 3rd-party...

OESA-2026-2230 uriparser security update

The package is a strictly RFC 3986 compliant URI parsing library written in C89"ANSI C". uriparser is cross-platform, fast, supports Unicode and is licensed under the New BSD license. There are a number of applications, libraries and hardware using uriparser, as well as bindings and 3rd-party...

Unity Linux 20.1070e Security Update: xterm (UTSA-2026-017371)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017371 advisory. xterm through Patch 370, when Sixel support is enabled, allows attackers to trigger a buffer overflow in setsixel in graphicssixel.c via crafted text. Tenable has...

CVE-2026-42456

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, GET /api/workspace/:slug/tts/:chatId in AnythingLLM returns the text-to-speech audio for another user's chat response within the same workspace...

CVE-2026-42456

AnythingLLM vulnerable prior to v1.12.1: GET /api/workspace/:slug/tts/:chatId exposes another user’s private chat response as TTS audio due to ownership check not being enforced, enabling IDOR. Authenticated users can access audio content by guessing known chatId. Issue patched in v1.12.1; remedi...

EUVD-2026-28865

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, GET /api/workspace/:slug/tts/:chatId in AnythingLLM returns the text-to-speech audio for another user's chat response within the same workspace...

CVE-2026-41591

Marko is a declarative, HTML-based language for building web apps. Prior to marko version 5.38.36 and prior to @marko/runtime-tags 6.0.164, when dynamic text is interpolated into a ,...

CVE-2026-41524

Brave CMS is an open-source CMS. Prior to commit 6c56603, page and article body content entered through the CKEditor rich-text editor is stored verbatim in the database and subsequently rendered with Laravel Blade's unescaped output directive !! !!. Any JavaScript or HTML injected by an editor-ro...

CVE-2025-55449

AstrBotDevs AstrBot 3.5.15 has AdvancedSystemforTextResponseandBotOperationsTool as the hardcoded private key used to sign a JWT...

OrchJail: Jailbreaking Tool-Calling Text-To-Image Agents by Orchestration-Guided Fuzzing

Tool-calling text-to-image T2I agents can plan and execute multi-step tool chains to accomplish complex generation and editing queries. However, this capability introduces a new safety attack surface: harmful outputs may arise from tool orchestration, where individually benign steps combine into...

Lightweight JSON text parser 安全漏洞

Lightweight JSON Text Parser is a lightweight JSON text parsing library developed by Tilen Majerle. Version 1.8.1 of Lightweight JSON Text Parser has a security vulnerability. This vulnerability stems from a logical error in the string termination detection mechanism of the streaming JSON parser,...

PT-2026-39138

Name of the Vulnerable Software and Affected Versions Brave CMS versions prior to commit 6c56603 Description Page and article body content entered through the CKEditor rich-text editor is stored verbatim in the database and rendered using Laravel Blade's unescaped output directive !! !!. This...

marko 跨站脚本漏洞

Marko is an open-source declarative HTML language used for building dynamic user interfaces. Versions of Marko prior to 5.38.36 contained a cross-site scripting vulnerability. This vulnerability occurred when dynamic text was inserted into script or style tags without preventing the escape of...