CVE-2026-48927

Jenkins buildgraph-view Plugin 1.8 and earlier does not escape the build URL, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure jobs or views...

PT-2026-44020

Jenkins buildgraph-view Plugin 1.8 and earlier does not escape the build URL, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure jobs or views...

GHSA-XW67-CG5F-4M2R AVideo: OS command injection in on_publish.php execAsync via unescaped m3u8 URL

Summary Type: Classic shell-metacharacter injection. The YPTSocket notification branch in plugin/Live/onpublish.php builds an execAsync command line by string concatenation, single-quoting each argument but never calling escapeshellarg. A ' in any of the three interpolated values $usersid, $m3u8,...

DEBIAN-CVE-2026-39823

CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, leading to XSS...

CVE-2026-42524

CVE-2026-42524 : Jenkins HTML Publisher Plugin 427 and earlier is vulnerable to a stored XSS due to not escaping the job name and URL in the legacy wrapper file. This can be exploited by attackers with Item/Configure permission. The public descriptions identify the affected component and the root...

CVE-2026-42524

Jenkins HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission...

CVE-2026-33319 AVideo Vulnerable to OS Command Injection via Unescaped URL in LinkedIn Video Upload Shell Command

WWBN AVideo is an open source video platform. Prior to version 26.0, the uploadVideoToLinkedIn method in the SocialMediaPublisher plugin constructs a shell command by directly interpolating an upload URL received from LinkedIn's API response, without sanitization via escapeshellarg. If an attacke...

AVideo has an OS Command Injection via Unescaped URL in LinkedIn Video Upload Shell Command

Summary The uploadVideoToLinkedIn method in the SocialMediaPublisher plugin constructs a shell command by directly interpolating an upload URL received from LinkedIn's API response, without sanitization via escapeshellarg. If an attacker can influence the LinkedIn API response via MITM, compromis...

CVE-2026-21871

Summary: NiceGUI (Python UI framework) versions 2.13.0–3.4.1 are affected by a DOM-based XSS vulnerability in ui.navigate.history.push() and ui.navigate.history.replace(). If an attacker-supplied string is embedded into generated JavaScript without proper escaping, it can escape the string contex...

EUVD-2012-3457

Malware in sbrugna...

EUVD-2021-11705

Malware in sbrugna...

EUVD-2024-1028

Malicious code in bioql PyPI...

EUVD-2022-6296

Malicious code in bioql PyPI...

CVE-2025-53658

Jenkins Applitools Eyes Plugin 1.16.5 and earlier does not escape the Applitools URL on the build page, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission...

CVE-2025-53658

Jenkins Applitools Eyes Plugin 1.16.5 and earlier does not escape the Applitools URL on the build page, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission...

Jenkins plugin Applitools Eyes 安全漏洞

Jenkins and Jenkins plugin are both Jenkins open source products.Jenkins is an application software. An open source automation server Jenkins provides hundreds of plugins to support building, deploying and automating any project.Jenkins plugin is an application software plugin. A security...

CVE-2024-10577

The 胖鼠采集Fat Rat Collect 微信知乎简书腾讯新闻列表分页采集, 还有自动采集、自动发布、自动标签、等多项功能。开源插件 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to missing escaping on a URL in all versions up to, and including, 2.7.3. This makes it possible for unauthenticated attackers to inject arbitrary web...

CVE-2012-3501

The squidclamavcheckpreviewhandler function in squidclamav.c in SquidClamav 5.x before 5.8 and 6.x before 6.7 passes an unescaped URL to a system command call, which allows remote attackers to cause a denial of service daemon crash via a URL with certain characters, as demonstrated using %0D or %...

CVE-2025-2166

The CM FAQ – Simplify support with an intuitive FAQ management tool plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of removequeryarg without appropriate escaping on the URL in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated...

SUSE CVE-2025-27088

oxyno-zeta/s3-proxy is an aws s3 proxy written in go. In affected versions a Reflected Cross-site Scripting XSS vulnerability enables attackers to create malicious URLs that, when visited, inject scripts into the web application. This can lead to session hijacking or phishing attacks on a trusted...