CVE-2025-70842

FluentCMS 1.2.3 is affected in its File Management module by a Stored XSS vulnerability. An authenticated administrator can upload crafted SVG files containing malicious JavaScript, and the injected script executes in the browser of any user who accesses the direct URL to the image, including una...

AXIS OS 安全漏洞

AXIS OS is an operating system for edge devices developed by Axis, a Swedish company. There is a security vulnerability in AXIS OS, which stems from insufficient input validation in configuration files. This vulnerability could lead to path traversal attacks and may result in privilege escalation...

FluentCMS 跨站脚本漏洞

FluentCMS is an open-source content management system developed by FluentCMS. Version 1.2.3 of FluentCMS has a cross-site scripting vulnerability. This vulnerability stems from a storage-based cross-site script in the file management module. It allows authenticated administrators to upload...

PT-2026-40138

Name of the Vulnerable Software and Affected Versions Microsoft Office SharePoint affected versions not specified Description Deserialization of untrusted data allows an authorized attacker to execute code over a network. Recommendations At the moment, there is no information about a newer versio...

ROS-20260512-73-0028

A vulnerability in the Core component of the Oracle VM VirtualBox virtual machine is related to insufficient input validation. Exploitation of the vulnerability could allow an attacker to gain full control over the application...

CVE-2026-43901

Wireshark MCP is an MCP Server that turns tshark into a structured analysis interface, then layers in optional Wireshark suite utilities. In 1.1.5 and earlier, wireshark-mcp exposes a wiresharkexportobjects MCP tool that accepts an attacker-controlled destdir parameter and passes it to tshark's...

CVE-2026-43900 DeepChat: Persistent DOM XSS via HTML Entity Encoding in `<antArtifact>` SVG Rendering (Bypass of `svgSanitizer.ts`)

DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents. Prior to v1.0.4-beta.1, a Cross-Site Scripting XSS vulnerability exists due to a discrepancy between the backend validation layer and the frontend browser rendering engine. The SVGSanitizer...

CVE-2026-44695

Outline is a service that allows for collaborative documentation. Prior to 1.7.1, the Slack integration callback for GET /auth/slack.post accepts an unsigned, session-independent OAuth state value. A third party who can obtain a Slack OAuth code for the same Outline Slack client can make a...

CVE-2026-8195

A vulnerability was detected in JeecgBoot up to 3.9.1. The affected element is an unknown function of the file jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/CommonController.java of the component SVG File Handler. The manipulation results in cross site...

CVE-2021-47925

CMDBuild 3.3.2 contains multiple stored cross-site scripting vulnerabilities that allow authenticated attackers to inject arbitrary web script or HTML via crafted input in card creation and file upload endpoints. Attackers can inject XSS payloads through Employee card parameters or SVG file...

Duplicate Advisory: OpenClaw's ACP child sessions inherit subagent security envelope constraints

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-q3jj-46pq-826r. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.22 contains a security envelope constraint bypass vulnerability allowing restricted subagents ...

CVE-2026-44659 Zen Browser Mac - Address Bar Spoofing via Long Subdomain

Zen is a firefox-based browser. Prior to 1.19.12b, the ZEN Browser incorrectly truncates long hostnames in the address bar and shows only the attacker-controlled prefix of the subdomain, hiding the actual registrable domain eTLD+1. As a result, an attacker can craft extremely long malicious...

Cross-site Scripting (XSS)

SiYuan is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper escaping of attacker-controlled content in SVG output generated by the dynamic icon API endpoint, which allows an attacker to inject and execute malicious JavaScript through crafted URLs...

[SECURITY] Fedora 43 Update: SDL3_image-3.4.4-1.fc43

Simple DirectMedia Layer SDL is a cross-platform multimedia library designed to provide fast access to the graphics frame buffer and audio device. This is a simple library to load images of various formats as SDL surfaces. It can load BMP, GIF, JPEG, LBM, PCX, PNG, PNM PPM/PGM/PBM, QOI, TGA, XCF,...

PT-2026-39839

Name of the Vulnerable Software and Affected Versions iOS versions prior to 18.7.9 iOS versions prior to 26.5 iPadOS versions prior to 18.7.9 iPadOS versions prior to 26.5 macOS Sonoma versions prior to 14.8.7 macOS Tahoe versions prior to 26.5 tvOS versions prior to 26.5 Description An attacker ...

PT-2026-39860

Name of the Vulnerable Software and Affected Versions DeepChat versions prior to 1.0.4-beta.1 Description A Cross-Site Scripting XSS issue exists due to a discrepancy between the backend validation layer and the frontend browser rendering engine. The SVGSanitizer function...

📄 CairoSVG Denial of Service

CairoSVG versions prior to 2.9.0 suffer from a recursive denial of service vulnerability. CVE-2026-31899: Exponential DoS via Recursive Element Amplification in CairoSVG Keywords: CVE-2026-31899, CairoSVG, exponential DoS, SVG bomb, recursive use element, denial of service, XML amplification,...

CVE-2026-44662 vulnerabilities

Vulnerabilities for packages: sccache, vector, sdp-k8s-injector, sqlx...

GHSA-XV59-967R-8726 vulnerabilities

Vulnerabilities for packages: sccache, vector, sdp-k8s-injector, sqlx...

CVE-2026-44662 vulnerabilities

Vulnerabilities for packages: sqlx, sdp-k8s-injector, typst, guestproxyagent, sccache, vector...