XNUTest

xnutesting Research & Education Only — Proof-of-concept...

CVE-2025-57543

Cross Site scripting vulnerability XSS in NetBox 4.3.5 "comment" field on object forms. An attacker can inject arbitrary HTML, which will be rendered in the web UI when viewed by other users. This could potentially lead to user interface redress attacks or be escalated to XSS in certain contexts...

CVE-2025-36226

IBM Aspera Faspex 5 5.0.0 through 5.0.14.3 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session...

CVE-2025-15051

IBM QRadar SIEM 7.5.0 through 7.5.0 Update Package 14 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality...

CVE-2025-13702

IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to...

CVE-2026-32034

OpenClaw versions prior to 2026.2.21 contain an authentication bypass vulnerability in the Control UI when allowInsecureAuth is explicitly enabled and the gateway is exposed over plaintext HTTP, allowing attackers to bypass device identity and pairing verification. An attacker with leaked or...

CVE-2026-0835

IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.1.0.0 through 6.1.2.72, 6.2.0.0 through 6.2.0.51, 6.2.1.0 through 6.2.1.11, and 6.2.2.0 are vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus alterin...

CVE-2026-33054

Mesop is a Python-based UI framework that allows users to build web applications. Versions 1.2.2 and below contain a Path Traversal vulnerability that allows any user supplying an untrusted statetoken through the UI stream payload to arbitrarily target files on the disk under the standard...

CVE-2026-31882

Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, when Dagu is configured with HTTP Basic authentication DAGUAUTHMODE=basic, all Server-Sent Events SSE endpoints are accessible without any credentials. This allows unauthenticated attackers to access real-time DAG...

Usability of Passwordless Authentication in Wi-Fi Networks: A Comparative Study of Passkeys and Passwords in Captive Portals

Passkeys have recently emerged as a passwordless authentication mechanism, yet their usability in captive portals remains unexplored. This paper presents an empirical, comparative usability study of passkeys and passwords in a Wi-Fi hotspot using a captive portal. We conducted a controlled...

EUVD-2026-16048

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the legacy patient notes functions in library/pnotes.inc.php perform updates and deletes using WHERE id = ? without verifying that the note belongs to a patient the...

CVE-2026-34055

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the legacy patient notes functions in library/pnotes.inc.php perform updates and deletes using WHERE id = ? without verifying that the note belongs to a patient the...

CVE-2026-34055 OpenEMR has IDOR in Patient Notes Web UI allows unauthorized note access/modification

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the legacy patient notes functions in library/pnotes.inc.php perform updates and deletes using WHERE id = ? without verifying that the note belongs to a patient the...

CVE-2026-2483

IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session...

CVE-2026-2483

IBM InfoSphere Information Server versions 11.7.0.0–11.7.1.6 are vulnerable to a cross-site scripting flaw in the Web UI (CVE-2026-2483), potentially allowing an attacker to inject arbitrary JavaScript and disclose credentials in a trusted session. Root cause is improper handling of input in the ...

CVE-2026-2485 IBM InfoSphere Information Server Cross-Site Scripting

IBM Infosphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a...

CVE-2026-2485

IBM Infosphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a...

CVE-2026-2485

Summary: CVE-2026-2485 affects IBM InfoSphere Information Server versions 11.7.0.0–11.7.1.6. It is a stored cross-site scripting vulnerability in the Web UI that allows a privileged user to inject arbitrary JavaScript, potentially leading to credentials disclosure within a trusted session. The is...

SUSE CVE-2026-4404

Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI...

Security update for Prometheus

This update for Prometheus fixes the following issues: golang-github-prometheus-alertmanager, golang-github-prometheus-nodeexporter: Internal changes to fix build issues with no impact for customers golang-github-prometheus-prometheus: Security issues fixed: CVE-2026-27606: Fixed arbitrary file...