Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview org.webjars.npm:svelte is a package for building web applications. Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in server-side rendering when attribute spreading is performed on elements. An attacker ca...

CVE-2026-27013

Fabric.js is a Javascript HTML5 canvas library. Prior to version 7.2.0, Fabric.js applies escapeXml to text content during SVG export src/shapes/Text/TextSVGExportMixin.ts:186 but fails to apply it to other user-controlled string values that are interpolated into SVG attribute markup. When...

CVE-2026-25998

strongMan (the management interface for strongSwan) is vulnerable in versions prior to 0.2.0 due to improper encryption of stored credentials in the database. The software used AES-CTR with a global database key and a single IV for all fields, enabling an attacker with database access to recover ...

BIT-MILVUS-2026-26190 Milvus Allows Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise

Milvus is an open-source vector database built for generative AI applications. Prior to 2.5.27 and 2.6.10, Milvus exposes TCP port 9091 by default, which enables authentication bypasses. The /expr debug endpoint uses a weak, predictable default authentication token derived from etcd.rootPath...

CVE-2025-12451

The Easy SVG Support plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above,...

CVE-2025-12451

CVE-2025-12451 concerns the WordPress plugin Easy SVG Support (versions

WordPress plugin Easy SVG Support 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

strongMan 安全漏洞

strongMan is an API developed by strongSwan. Versions of strongMan prior to 0.2.0 contained a security vulnerability. This vulnerability stemmed from the lack of a separate initialization vector when encrypting database fields, which could lead to credential leakage...

OpenClaw 访问控制错误漏洞

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from an access control error vulnerability. The vulnerability stems from a mismatch between rawCommand and command in the node host system.run handler, which can be exploited by an attacker to cause the...

PT-2026-20583

Name of the Vulnerable Software and Affected Versions Easy SVG Support plugin for WordPress versions up to and including 4.0 Description The Easy SVG Support plugin for WordPress is susceptible to Stored Cross-Site Scripting through SVG file uploads. Insufficient input sanitization and output...

Linux Distros Unpatched Vulnerability : CVE-2026-2653

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A security flaw has been discovered in admesh up to 0.98.5. This issue affects the function stlchecknormalvector of the file src/normals.c. Performing a...

Fedora 43 : roundcubemail (2026-547e298156)

The remote Fedora 43 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-547e298156 advisory. Release 1.6.13 - Managesieve: Fix handling of string-list format values for date tests in Out of Office 10075 - Fix remote image blocking bypass via SVG...

OpenSSL Stack buffer overflow in CMS AuthEnvelopedData parsing

Brocade Security has become aware of a stack buffer overflow that could lead to a crash, causing Denial of Service, or potentially remote code execution. A remote attacker can exploit a stack buffer overflow vulnerability by supplying a crafted Cryptographic Message Syntax CMS message with an...

CVE-2026-24745

Summary of CVE-2026-24745 : InvoicePlane 1.7.0 is vulnerable to a Stored Cross-Site Scripting (XSS) issue in the Upload Login Logo feature, which accepts SVG uploads. The root cause is improper handling of uploaded SVG content, enabling stored script execution. Impact described in sources include...

Cross-site Scripting (XSS)

Overview fabric is an Object model for HTML5 canvas, and SVG-to-canvas parser. Backed by jsdom and node-canvas. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the loadFromJSON function, which is used in the FabricObjectSVGExportMixin class to deserialize...

CVE-2019-25359

SD.NET RIM versions before 4.7.3c contain a SQL injection vulnerability that allows attackers to inject malicious SQL statements through POST parameters 'idtyp' and 'idgremium'. Attackers can exploit this vulnerability by crafting specially formed POST requests to the /vorlagen/ endpoint, enablin...

CVE-2026-24743 InvoicePlane has a Stored Cross-Site Scripting (XSS) issue

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS vulnerability occurs in the upload Invoice Logo functions of InvoicePlane version 1.7.0. The Upload Invoice Logo function allows the application to upload svg file...

CLSA-2026-1771425977 ImageMagick: Fix of 2 CVEs

CVE-2025-68618: fix DOS when processing a specially crafted malicious SVG file - CVE-2025-69204: fix DOS due to buffer overflow during image processing of a specially crafted SVG image...

CLSA-2026-1771425162 ImageMagick: Fix of 2 CVEs

CVE-2025-68618: fix DOS when processing a specially crafted malicious SVG file - CVE-2025-69204: fix DOS due to buffer overflow during image processing of a specially crafted SVG image...

PYSEC-2026-5

A security flaw has been discovered in admesh up to 0.98.5. This issue affects the function stlchecknormalvector of the file src/normals.c. Performing a manipulation results in heap-based buffer overflow. The attack must be initiated from a local position. The exploit has been released to the...