Lucene search
+L

1053 matches found

RedhatCVE
RedhatCVE
added 2026/05/06 2:21 p.m.8 views

CVE-2026-27693

Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper escaping. An attacker with low privileges can create a device with a crafted name that injects XML...

5.4CVSS5.8AI score0.00183EPSS
Exploits1References1
Snyk
Snyk
added 2026/05/05 3:34 p.m.10 views

XML Injection

Overview Affected versions of this package are vulnerable to XML Injection in the KML and GPX export functionality. An attacker can corrupt the file structure and spoof exported location data by creating a device with a crafted name that injects XML content into the exported files. Remediation...

5.4CVSS5.8AI score0.00183EPSS
Exploits1References2
CVE
CVE
added 2026/05/05 12:17 p.m.12 views

CVE-2026-27693

CVE-2026-27693 affects Traccar (org.traccar:traccar) versions 6.11.1–

5.4CVSS5.8AI score0.00183EPSS
Exploits1References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/05 12:17 p.m.5 views

CVE-2026-27693

Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper escaping. An attacker with low privileges can create a device with a crafted name that injects XML...

5.4CVSS5.8AI score0.00183EPSS
Exploits1References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/05 12:17 p.m.7 views

CVE-2026-27693 traccar allows XML injection in KML and GPX exports

Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper escaping. An attacker with low privileges can create a device with a crafted name that injects XML...

5.4CVSS5.8AI score0.00183EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/05/05 12:17 p.m.39 views

CVE-2026-27693 traccar allows XML injection in KML and GPX exports

Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper escaping. An attacker with low privileges can create a device with a crafted name that injects XML...

5.4CVSS0.00183EPSS
Exploits1References2
EUVD
EUVD
added 2026/05/05 12:17 p.m.8 views

EUVD-2026-27307

Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper escaping. An attacker with low privileges can create a device with a crafted name that injects XML...

5.4CVSS5.8AI score0.00183EPSS
Exploits1References2
OSV
OSV
added 2026/05/05 12:17 p.m.3 views

CVE-2026-27693 traccar allows XML injection in KML and GPX exports

Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper escaping. An attacker with low privileges can create a device with a crafted name that injects XML...

5.4CVSS5.9AI score0.00183EPSS
Exploits1References4
IBM Security Bulletins
IBM Security Bulletins
added 2026/04/28 9:28 p.m.6 views

Security Bulletin: Langflow OSS affected by vulnerabilies in xmldom versions prior to 0.9.9

Summary Langflow OSS affected by vulnerabilies in xmldom versions prior to 0.9.9 Vulnerability Details CVEID:CVE-2026-34601 DESCRIPTION: xmldom is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. In xmldom versions 0.6.0 and prior and @xmldom/xmldom...

7.5CVSS5.2AI score0.00472EPSS
Exploits0Affected Software1
Snyk
Snyk
added 2026/04/24 2:53 a.m.6 views

XML Injection

Overview Affected versions of this package are vulnerable to XML Injection via the value function in src/Toolkit/Xml.php. An attacker can smuggle raw XML markup into generated output by supplying a string that begins with - GitHub Commit - Maintainer's Advisory Credit: dapatrese...

7.5CVSS5.5AI score0.00346EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/04/24 12:19 a.m.2 views

CVE-2026-32870 Kirby has XML injection in its XML creator toolkit

Kirby is an open-source content management system. Kirby's Xml::value method has special handling for blocks. If the input value is already valid CDATA, it is not escaped a second time but allowed to pass through. However, prior to versions 4.9.0 and 5.4.0, it was possible to trick this check int...

6.9CVSS5.2AI score0.00346EPSS
Exploits0References3
CVE
CVE
added 2026/04/24 12:19 a.m.17 views

CVE-2026-32870

Kirby (pre-4.9.0 and pre-5.4.0) has a vulnerability in its Xml::value() handling of CDATA blocks that could allow inputs containing a valid CDATA block plus other structured data to bypass protection. This affects code paths that use Xml::value(), Xml::tag(), Xml::create(), and the Xml data handl...

7.5CVSS5.5AI score0.00346EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/23 9:21 p.m.10 views

Kirby has XML injection in its XML creator toolkit

TL;DR This vulnerability only affects Kirby sites that use the Xml data handler e.g. Data::encode$string, 'xml' or the Xml::create, Xml::tag or Xml::value methods in site or plugin code. The Kirby core does not use any of the affected methods. If consumers use an affected method and cannot rule o...

7.5CVSS5.4AI score0.00346EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/04/23 9:21 p.m.5 views

GHSA-9WFJ-C55W-J9QR Kirby has XML injection in its XML creator toolkit

TL;DR This vulnerability only affects Kirby sites that use the Xml data handler e.g. Data::encode$string, 'xml' or the Xml::create, Xml::tag or Xml::value methods in site or plugin code. The Kirby core does not use any of the affected methods. If consumers use an affected method and cannot rule o...

6.9CVSS5.4AI score0.00346EPSS
Exploits0References5
Snyk
Snyk
added 2026/04/22 8:19 p.m.7 views

XML Injection

Overview org.webjars.npm:xmldom is an A pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. Affected versions of this package are vulnerable to XML Injection in the serialization of DocumentType nodes when attacker-controlled values are provided to the...

8.7CVSS5.8AI score0.00457EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 8:19 p.m.7 views

XML Injection

Overview xmldom is an A pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. Affected versions of this package are vulnerable to XML Injection in the serialization of DocumentType nodes when attacker-controlled values are provided to the publicId, systemId, ...

8.7CVSS5.8AI score0.00457EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 8:19 p.m.8 views

XML Injection

Overview @xmldom/xmldom is a javascript ponyfill to provide the following APIs that are present in modern browsers to other runtimes. Since version 0.7.0 this package is published to npm as @xmldom/xmldom and no longer as xmldom Affected versions of this package are vulnerable to XML Injection in...

8.7CVSS5.8AI score0.00457EPSS
Exploits0References2
OSV
OSV
added 2026/04/22 8:19 p.m.14 views

GHSA-F6WW-3GGP-FR8H xmldom has XML injection through unvalidated DocumentType serialization

Summary The package serializes DocumentType node fields internalSubset, publicId, systemId verbatim without any escaping or validation. When these fields are set programmatically to attacker-controlled strings, XMLSerializer.serializeToString can produce output where the DOCTYPE declaration is...

8.7CVSS6AI score0.00457EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2026/04/22 8:19 p.m.23 views

xmldom has XML injection through unvalidated DocumentType serialization

Summary The package serializes DocumentType node fields internalSubset, publicId, systemId verbatim without any escaping or validation. When these fields are set programmatically to attacker-controlled strings, XMLSerializer.serializeToString can produce output where the DOCTYPE declaration is...

8.7CVSS6AI score0.00457EPSS
Exploits0References6Affected Software2
Snyk
Snyk
added 2026/04/22 8:17 p.m.10 views

XML Injection

Overview org.webjars.npm:xmldom is an A pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. Affected versions of this package are vulnerable to XML Injection via the createProcessingInstruction function. An attacker can inject arbitrary XML nodes into the...

8.7CVSS5.7AI score0.00408EPSS
Exploits0References2
Rows per page
Query Builder