CVE-2026-39426 MaxKB: Stored XSS via Unsanitized iframe_render Parsing

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting XSS vulnerability where the frontend's MdRenderer.vue component parses custom tags from LLM responses or Application Prologue configurations, bypassing standard Markdown sanitizatio...

CVE-2026-39426 MaxKB: Stored XSS via Unsanitized iframe_render Parsing

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting XSS vulnerability where the frontend's MdRenderer.vue component parses custom tags from LLM responses or Application Prologue configurations, bypassing standard Markdown sanitizatio...

EUVD-2026-22184

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain an Eval Injection vulnerability in the Markdown rendering engine that allows any user capable of interacting with the AI chat interface to execute arbitrary JavaScript in the browsers of other users, including...

EUVD-2026-15837

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Ays Pro Image Slider by Ays ays-slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Slider by Ays: from n/a through = 2.7.1...

CVE-2023-25031

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Kiboko Labs Arigato Autoresponder and Newsletter plugin = 2.7.1 versions...

PT-2026-1274

Name of the Vulnerable Software and Affected Versions Xinhu Rainrock RockOA versions up to 2.7.1 Description A security flaw exists in Xinhu Rainrock RockOA up to version 2.7.1. The issue is related to cross site scripting within the Cover Image Handler component, specifically in the file rock pa...

PT-2026-1275

Name of the Vulnerable Software and Affected Versions Xinhu Rainrock RockOA versions up to 2.7.1 Description A security issue exists in Xinhu Rainrock RockOA. The issue involves cross site scripting, potentially allowing remote attacks. The issue is related to the manipulation of the callback...

EUVD-2022-49623

Malicious code in bioql PyPI...

EUVD-2022-0338

Malicious code in bioql PyPI...

SUSE CVE-2025-61659

bash-git-prompt 2.6.1 through 2.7.1 insecurely uses the /tmp/git-index-private$$ file, which has a predictable name...

CVE-2025-58653

CVE-2025-58653 affects the WordPress plugin JSM file_get_contents Shortcode (JSM file_get_contents() Shortcode). Description indicates improper input neutralization leading to a Stored XSS within the shortcode, with affected versions from unknown earlier than or equal to 2.7.1. Connected document...

SUSE CVE-2025-40779

If a DHCPv4 client sends a request with some specific options, and Kea fails to find an appropriate subnet for the client, the kea-dhcp4 process will abort with an assertion failure. This happens only if the client request is unicast directly to Kea; broadcast messages do not cause the problem...

CVE-2025-40779 Kea crash upon interaction between specific client options and subnet selection

If a DHCPv4 client sends a request with some specific options, and Kea fails to find an appropriate subnet for the client, the kea-dhcp4 process will abort with an assertion failure. This happens only if the client request is unicast directly to Kea; broadcast messages do not cause the problem...

PT-2024-11743 · WordPress · Js Help Desk

Name of the Vulnerable Software and Affected Versions: JS Help Desk – Best Help Desk & Support Plugin versions n/a through 2.7.1 Description: The issue affects the JS Help Desk plugin, allowing exploitation of incorrectly configured access control security levels due to a missing authorization...

PT-2024-29689 · Atos · Atos Eviden Icare

Name of the Vulnerable Software and Affected Versions: Atos Eviden iCare versions 2.7.1 through 2.7.11 Description: The application exposes a web interface locally. In the worst-case scenario, if the application is remotely accessible, it allows an attacker to execute arbitrary commands with syst...

WordPress Zoho Flow for WordPress plugin <= 2.7.1 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Trương Hữu Phúc Patchstack Alliance in WordPress Plugin Zoho Flow versions = 2.7.1...

WordPress Tutor LMS plugin <= 2.7.1 - SQL Injection vulnerability

SQL Injection vulnerability discovered by justakazh Patchstack Alliance in WordPress Plugin Tutor LMS versions = 2.7.1...

PT-2024-33320 · WordPress · The Tutor Lms

Name of the Vulnerable Software and Affected Versions: The Tutor LMS – eLearning and online course solution plugin for WordPress versions up to, and including, 2.7.1 Description: The issue is related to time-based SQL Injection via the course id parameter due to insufficient escaping on the...

VulnCheck KEV: CVE-2024-5324

The Login/Signup Popup Inline Form + Woocommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'importsettings' function in versions 2.7.1 to 2.7.2. This makes it possible for authenticated attackers, with Subscriber-level...

PT-2024-35688 · WordPress · Login/Signup Popup

Name of the Vulnerable Software and Affected Versions: Login/Signup Popup Inline Form + Woocommerce plugin for WordPress versions 2.7.1 through 2.7.2 Description: The issue is related to a missing capability check on the import settings function, allowing authenticated attackers with...