98 matches found
PT-2026-45845
Name of the Vulnerable Software and Affected Versions ARMember Premium versions prior to 7.3.2 Description An SQL Injection issue exists in the ARMember Premium plugin for WordPress. The get private content data AJAX action fails to properly sanitize the sSortDir 0 parameter, which is concatenate...
Cross-site Scripting (XSS)
Overview @typebot.io/js is a Javascript library to display typebots on your website Affected versions of this package are vulnerable to Cross-site Scripting XSS via the href attribute in anchor tags rendered from user-controlled content. An attacker can execute arbitrary JavaScript in the context...
SUSE CVE-2026-44264
Weblate is a web based localization tool. Prior to version 5.17.1, the Markdown renderer used in user comments and other user-provided content didn't properly sanitize some attributes. This issue has been patched in version 5.17.1...
CVE-2026-44264
Weblate is a web based localization tool. Prior to version 5.17.1, the Markdown renderer used in user comments and other user-provided content didn't properly sanitize some attributes. This issue has been patched in version 5.17.1...
CVE-2026-44264 Weblate is vulnerable to XSS via crafted Markdown
Weblate is a web based localization tool. Prior to version 5.17.1, the Markdown renderer used in user comments and other user-provided content didn't properly sanitize some attributes. This issue has been patched in version 5.17.1...
CVE-2026-44264 Weblate is vulnerable to XSS via crafted Markdown
Weblate is a web based localization tool. Prior to version 5.17.1, the Markdown renderer used in user comments and other user-provided content didn't properly sanitize some attributes. This issue has been patched in version 5.17.1...
CVE-2026-44264
Weblate is a web based localization tool. Prior to version 5.17.1, the Markdown renderer used in user comments and other user-provided content didn't properly sanitize some attributes. This issue has been patched in version 5.17.1...
GHSA-5CMV-3RC4-7279 Weblate vulnerable to XSS via crafted Markdown
Impact The Markdown renderer used in user comments and other user-provided content didn't properly sanitize some attributes. Patches https://github.com/WeblateOrg/weblate/pull/19259 Workarounds Even though the attacker might be able to inject code into the HTML, the Weblate's strict CSP should...
PT-2026-38401
Name of the Vulnerable Software and Affected Versions Weblate versions prior to 5.17.1 Description The Markdown renderer used in user comments and other user-provided content fails to properly sanitize certain attributes, which could allow the injection of code into the HTML. Recommendations Upda...
Cross-site Scripting (XSS)
Overview thorsten/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Cross-site Scripting XSS via the search.twig template and the process that decodes and renders user-supplied content without proper sanitization. An...
SUSE-SU-2026:1659-1 Security update for sed
This update for sed fixes the following issues: - CVE-2026-5958: TOCTOU race allows write of user-controlled content to unintended files and can lead to arbitrary file overwrite bsc1262144...
Cross-site Scripting (XSS)
Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Cross-site Scripting XSS in the ParsedownSafeWithLinks process. An attacker can execute arbitrary JavaScript in the context of another user's browser session by...
CVE-2026-39315
Unhead is a document head and template manager. Prior to 2.1.13, useHeadSafe is the composable that Nuxt's own documentation explicitly recommends for rendering user-supplied content in...
CVE-2026-39315
Unhead is a document head and template manager. Prior to 2.1.13, useHeadSafe is the composable that Nuxt's own documentation explicitly recommends for rendering user-supplied content in...
Hidden Ads: Behavior Triggered Semantic Backdoors for Advertisement Injection in Vision Language Models
Vision-Language Models VLMs are increasingly deployed in consumer applications where users seek recommendations about products, dining, and services. We introduce Hidden Ads, a new class of backdoor attacks that exploit this recommendation-seeking behavior to inject unauthorized advertisements...
CVE-2026-33335
Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper passes URLs from window.open calls directly to shell.openExternal without any validation or protocol allowlisting. An attacker who can place ...
HSEC-2024-0004 Hackage package and doc upload stored XSS vulnerability
Hackage package and doc upload stored XSS vulnerability Author: Fraser Tweedale Haskell SRT Executive summary A critical XSS vulnerability affected hackage-server and hackage.haskell.org. HTML and JavaScript files provided in source packages or via the documentation upload facility were served...
Vulnerability-Lookup 安全漏洞
Vulnerability-Lookup is an open source Vulnerability-Lookup platform for managing disclosure of vulnerabilities. A security vulnerability exists in Vulnerability-Lookup versions prior to 2.18.0 that stems from not securely handling user-controlled content and could lead to a stored cross-site...
Sonatype Nexus Repository 安全漏洞
Sonatype Nexus Repository is a repository manager from Sonatype, Inc. that is used to manage, store and distribute software, among other things. A security vulnerability exists in Sonatype Nexus Repository that stems from a security header not being applied to certain user uploaded content, which...
AI (Artificial Intelligence) - Moderately critical - Cross-Site Scripting - SA-CONTRIB-2025-119
This modules provides the ability to chat with an AI Agent using a large-language model LLM provider for different purposes. The module doesn’t sufficiently filter LLM responses. This leads to a cross-site scripting XSS vulnerability where an attacker can use prompt injections on user-generated...