EUVD-2026-38794

A Stored Cross-Site Scripting XSS vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input before generating HTML output in the Audit Trail component...

EUVD-2026-38452

NetComm NF20MESH routers running firmware R6B031 and earlier contain an authenticated remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands as root by injecting shell metacharacters into the username JSON parameter processed by the...

PT-2026-45850

Name of the Vulnerable Software and Affected Versions docling-core versions 2.5.0 through 2.74.0 Description Insufficient input sanitization when processing specific documents allows for path traversal, enabling remote attackers to read arbitrary files from the host server. The software allows...

CVE-2026-8827

The CVE concerns TYPO3 extension Address List (tt_address). AddressRepository::getSqlQuery() builds a database query without proper sanitization, enabling SQL injection when untrusted input is used. The issue is not triggered internally by the extension in a default install, but could be exploite...

Command Injection

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Command Injection via improper handling of user-supplied input in the onpublish.php process. An attacker can execute arbitrary operating system commands by injecti...

CVE-2026-31226

The TinyZero project thru commit 6652a63c57fa7e5ccde3fc9c598c7176ff15b839 2025-58-24 contains a critical command injection vulnerability CWE-78 in its HDFS file operation utilities. The vulnerability arises from the unsafe construction and execution of shell commands via os.system without proper...

Vulnerabilities in Microsoft SQL Server

Microsoft has addressed vulnerabilities in SQL Server. A malicious individual could exploit these vulnerabilities by having SQL Server improperly neutralize inputs and dereference untrusted pointers. This could allow an authorized attacker to gain elevated privileges locally or execute code...

EUVD-2026-15832

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in jgwhite33 WP TripAdvisor Review Slider wp-tripadvisor-review-slider allows Stored XSS.This issue affects WP TripAdvisor Review Slider: from n/a through = 14.1...

CVE-2026-32986 Textpattern CMS 4.9.0: Second-Order XSS via Atom Feed Injection

Textpattern CMS version 4.9.0 contains a second-order cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting improper sanitization of user-supplied input in Atom feed XML elements. Attackers can embed unescaped payloads in parameters such as category th...

OliveTin's unsafe parsing of UniqueTrackingId can be used to write files

When the saveLogs feature is enabled, OliveTin persists execution log entries to disk. The filename used for these log files is constructed in part from the user-supplied UniqueTrackingId field in the StartAction API request. This value is not validated or sanitized before being used in a file...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via unsafe template rendering that combines user input with permissive sanitizer handling of data URLs in the display of author and committer names. An attacker can execute arbitrary JavaScript in the context of...

Nagios Host monitoringwizard Command Injection Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Nagios Host. Authentication is required to exploit this vulnerability. The specific flaw exists within the monitoringwizard module. The issue results from the lack of proper validation of a...

CVE-2026-26029 sf-mcp-server has a Command Injection in query_records tool due to unsafe use of child_process.exec

sf-mcp-server is an implementation of Salesforce MCP server for Claude for Desktop. A command injection vulnerability exists in sf-mcp-server due to unsafe use of childprocess.exec when constructing Salesforce CLI commands with user-controlled input. Successful exploitation allows attackers to...

CVE-2026-26029

CVE-2026-26029 affects the sf-mcp-server component (Salesforce MCP server for Claude for Desktop). The issue arises from unsafe use of child_process.exec when forming Salesforce CLI commands with user-controlled input, enabling a potential command injection. Successful exploitation could execute ...

CVE-2025-14541

CVE-2025-14541 refers to the WordPress plugin “Lucky Wheel Giveaway” (versions up to and including 1.0.22) with a Remote Code Execution vulnerability. The root cause is PHP eval() being applied to user-controlled input via the conditional_tags parameter, allowing an authenticated attacker with Ad...

PT-2026-7725

Name of the Vulnerable Software and Affected Versions sf-mcp-server affected versions not specified Description A command injection issue exists in sf-mcp-server, an implementation of Salesforce MCP server for Claude for Desktop. The issue is due to the unsafe use of the child process.exec functi...

Prototype Pollution

deepHas is vulnerable to Prototype Pollution. The vulnerability is due to unsafe handling of nested object keys, where attacker-controlled input can modify properties on JavaScript prototypes, allowing global object behavior to be altered in applications using deephas...

EUVD-2026-5008

Cybersecurity AI CAI is a framework for AI Security. In versions up to and including 0.5.10, the CAI Cybersecurity AI framework contains multiple argument injection vulnerabilities in its function tools. User-controlled input is passed directly to shell commands via subprocess.Popen with...

WordPress plugin Appointment Hour Booking: Cross-site scripting vulnerability

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

CVE-2026-24823

Out-of-bounds Write, Buffer Copy without Checking Size of Input 'Classic Buffer Overflow' vulnerability in FASTSHIFT X-TRACK Software/X-Track/USER/App/Utils/lvimgpng/PNGdec/src modules. This vulnerability is associated with program files inflate.C. This issue affects X-TRACK: through v2.7...