EUVD-2026-11251

An information disclosure vulnerability in Palo Alto Networks Cortex XDR® Broker VM allows an authenticated user to obtain and modify sensitive information by triggering live terminal session via Cortex UI and modifying any configuration setting. The attacker must have network access to the Broke...

CVE-2026-20162 Stored Cross-Site Scripting (XSS) through Path Traversal in Splunk Enterprise

In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.9, and 9.3.9, and Splunk Cloud Platform versions below 10.2.2510.4, 10.1.2507.15, 10.0.2503.11, and 9.3.2411.123, a low-privileged user who does not hold the "admin" or "power" Splunk roles could craft a malicious payload when creating a Vie...

EUVD-2025-208513

IBM Aspera Faspex 5 5.0.0 through 5.0.14.3 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session...

EUVD-2025-208512

IBM Aspera Faspex 5 5.0.0 through 5.0.14.3 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session...

CVE-2025-36226

IBM Aspera Faspex 5 5.0.0 through 5.0.14.3 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session...

CVE-2025-36226 Multiple vulnerabilities in IBM Aspera Faspex

IBM Aspera Faspex 5 5.0.0 through 5.0.14.3 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session...

CVE-2025-36226

IBM Aspera Faspex 5 5.0.0 through 5.0.14.3 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session...

GO-2026-4614 Nginx-UI Vulnerable to Unauthenticated Backup Download with Encryption Key Disclosure in github.com/0xJacky/Nginx-UI

Nginx-UI Vulnerable to Unauthenticated Backup Download with Encryption Key Disclosure in github.com/0xJacky/Nginx-UI. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive...

KLA90934 Multiple vulnerabilities in Google Chrome

Multiple vulnerabilities were found in Google Chrome. Malicious users can exploit these vulnerabilities to cause denial of service, execute arbitrary code, spoof user interface. Below is a complete list of vulnerabilities: 1. Heap buffer overflow vulnerability in WebML can be exploited to cause...

PT-2026-24406

IBM Aspera Faspex 5 5.0.0 through 5.0.14.3 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session...

Google Chrome 安全漏洞

Google Chrome is a web browser from Google, an American company. Google Chrome suffers from a security bypass vulnerability caused by an incorrect security UI in PictureInPicture, which can be exploited by an attacker to perform UI spoofing via specially crafted HTML pages...

PT-2026-24876

Insufficient policy enforcement in Extensions in Google Chrome prior to 146.0.7680.71 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. Chromium security severity: Medium...

ROS-20260310-73-0014

A vulnerability in the Split View component of Google Chrome browser is related to information presentation errors in the user interface. Exploitation of the vulnerability could allow a remote attacker to conduct spoofing attacks...

ROS-20260310-73-0013

A vulnerability in the user interface UI of the Google Chrome browser is related to the lack of a user warning about unsafe actions. Exploitation of the vulnerability could allow an attacker acting remotely to bypass existing security restrictions...

CVE-2026-25737

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.24.0 and earlier, an arbitrary file upload vulnerability exists even though file extension restrictions are configured. The restriction is enforced only at the UI level. An attacker can bypass these...

CVE-2026-2919

Malicious scripts could display attacker-controlled web content under spoofed domains in Focus for iOS by stalling a self navigation to an invalid port and triggering an iframe redirect, causing the UI to display a trusted domain without user interaction. This vulnerability affects Focus for iOS...

PT-2026-24108

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.24.0 and earlier, an arbitrary file upload vulnerability exists even though file extension restrictions are configured. The restriction is enforced only at the UI level. An attacker can bypass these...

Budibase 安全漏洞

Budibase is an open-source low-code platform developed by Budibase in the UK. It allows for the creation of internal applications, workflows, and management panels within minutes. Budibase versions 3.24.0 and earlier contained security vulnerabilities. These vulnerabilities stemmed from file...

SlowBA: An Efficiency Backdoor Attack Towards VLM-Based GUI Agents

Modern vision-language-model VLM based graphical user interface GUI agents are expected not only to execute actions accurately but also to respond to user instructions with low latency. While existing research on GUI-agent security mainly focuses on manipulating action correctness, the security...

CVE-2026-3693

A flaw has been found in Shy2593666979 AgentChat up to 2.3.0. This issue affects the function getuserinfo/updateuserinfo of the file /src/backend/agentchat/api/v1/user.py of the component User Endpoint. This manipulation of the argument userid causes improper control of resource identifiers. It i...