TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection

Impact Stored XSS vulnerability in the media plugin. Attackers can inject malicious scripts via crafted data-mce- attributes, which are executed when content is rendered. Impacts users of TinyMCE with the media plugin enabled. Patches This vulnerability has been patched in TinyMCE 8.5.1, TinyMCE...

UBUNTU-CVE-2026-47762

TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via forged mce:protected comments. Allows attackers to bypass sanitization and inject scripts that execute when content is restored. Impacts users who utilize the protect option. Thi...

CVE-2026-47761 TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection

TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability in the media plugin. Attackers can inject malicious scripts via crafted data-mce- attributes, which are executed when content is rendered. Impacts users of TinyMCE with the media...

PT-2026-44390

Name of the Vulnerable Software and Affected Versions TinyMCE versions prior to 5.11.1 TinyMCE versions prior to 7.9.3 TinyMCE versions prior to 8.5.1 Description A stored Cross-Site Scripting XSS issue exists in the media plugin. Attackers can inject malicious scripts using specially crafted...

Ross Video DashBoard 安全漏洞

Ross Video DashBoard is an open control and management system from Ross Video Canada. A security vulnerability exists in Ross Video DashBoard version 8.5.1, which stems from improperly set permissions and could result in elevated privileges...

WordPress Simple Share Buttons Adder plugin < 8.5.1 - Authenticated Stored Cross-Site Scripting vulnerability

Authenticated Stored Cross-Site Scripting vulnerability discovered by Dmitrii Ignatyev in WordPress Plugin Simple Share Buttons Adder versions 8.5.1...

Atlassian Confluence Unauthenticated Remote Code Execution

This module exploits an improper input validation issue in Atlassian Confluence, allowing arbitrary HTTP parameters to be translated into getter/setter sequences via the XWorks2 middleware and in turn allows for Java objects to be modified at run time. The exploit will create a new administrator...

PT-2023-25854 · Infoblox · Infoblox Nios

Name of the Vulnerable Software and Affected Versions: Infoblox NIOS versions through 8.5.1 Description: The issue is related to a faulty component that accepts malicious input without proper sanitization, resulting in shell access. Recommendations: For Infoblox NIOS versions through 8.5.1,...

Infoblox NIOS 安全漏洞

Infoblox NIOS is an operating system that powers Infoblox core network services. It ensures uninterrupted operation of the network infrastructure. A security vulnerability exists in Infoblox NIOS version 8.5.1 and prior versions, which originates from accepting malicious input without cleaning,...

CVE-2023-31490 affecting package frr for versions less than 8.5.1-2

CVE-2023-31490 affecting package frr for versions less than 8.5.1-2. A patched version of the package is available...

Type confusion

Versions =8.5.1 of jsonwebtoken library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the...

CVE-2022-23540

In versions =8.5.1 of jsonwebtoken library, lack of algorithm definition in the jwt.verify function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification. Users are affected if you do not specify algorithms in the jwt.verify function. This issu...

Input validation

In versions =8.5.1 of jsonwebtoken library, lack of algorithm definition in the jwt.verify function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification. Users are affected if you do not specify algorithms in the jwt.verify function. This issu...

CVE-2022-23540 jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()

In versions =8.5.1 of jsonwebtoken library, lack of algorithm definition in the jwt.verify function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification. Users are affected if you do not specify algorithms in the jwt.verify function. This issu...

CVE-2022-23541 jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC

jsonwebtoken is an implementation of JSON Web Tokens. Versions = 8.5.1 of jsonwebtoken library can be misconfigured so that passing a poorly implemented key retrieval function referring to the secretOrPublicKey argument from the readme link will result in incorrect verification of tokens. There i...

CVE-2022-23541 jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC

jsonwebtoken is an implementation of JSON Web Tokens. Versions = 8.5.1 of jsonwebtoken library can be misconfigured so that passing a poorly implemented key retrieval function referring to the secretOrPublicKey argument from the readme link will result in incorrect verification of tokens. There i...

jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC

Overview Versions =8.5.1 of jsonwebtoken library can be misconfigured so that passing a poorly implemented key retrieval function referring to the secretOrPublicKey argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm...

jsonwebtoken 安全漏洞

jsonwebtoken is a JSON Web token implementation of Auth0 open source. A security vulnerability exists in jsonwebtoken version 8.5.1 and earlier versions, which stems from a key retrieval function that will result in a token validation error...

GHSA-C429-5P7V-VGJP hoek subject to prototype pollution via the clone function.

hoek versions prior to 8.5.1, and 9.x prior to 9.0.3 are vulnerable to prototype pollution in the clone function. If an object with the proto key is passed to clone the key is converted to a prototype. This issue has been patched in version 9.0.3, and backported to 8.5.1...

DEBIAN-CVE-2020-36604

hoek before 8.5.1 and 9.x before 9.0.3 allows prototype poisoning in the clone function...