CVE-2025-66280 QTS, QuTS hero

An integer overflow or wraparound vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to compromise the security of the system. We have already fixed the vulnerability in the...

CVE-2025-40902

CVE-2025-40902 describes a Stored HTML Injection in the Guardian/CMC Users feature prior to 26.1.0. An authenticated admin can create a user whose username contains HTML tags; when a victim deletes a group containing that user, the injected HTML may render in the browser, enabling phishing and po...

CVE-2026-7191

Improper use of the static-eval npm package in the open source solution qnabot-on-aws versions 7.2.4 and earlier may allow an authenticated administrator to execute arbitrary code within the fulfillment Lambda execution context by injecting a crafted conditional chaining expression via the Conten...

PT-2026-34298

Name of the Vulnerable Software and Affected Versions Sentence To SEO versions prior to 1.1 Description The Sentence To SEO plugin for WordPress contains a Stored Cross-Site Scripting issue. The problem occurs because the plugin fails to properly sanitize input and escape output for the 'Permanen...

CVE-2026-6439

The VideoZen plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 1.0.1. This is due to insufficient input sanitization and output escaping in the videozenconf function. The 'lang' POST parameter is stored directly via updateoption without any...

PT-2026-25852

Name of the Vulnerable Software and Affected Versions SiYuan versions 3.6.0 and below Description SiYuan, a personal knowledge management system, has an issue in the globalCopyFiles API. This API reads source files using filepath.Abs without proper workspace boundary checks. It relies on the...

CVE-2026-3242

In Concrete CMS below version 9.4.8, a rogue administrator can add stored XSS via the Switch Language block. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks M3dium for reporting...

CVE-2026-2289

The Taskbuilder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 5.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...

CVE-2025-54161

Technical details about CVE-2025-54161 are not publicly provided in the supplied documents; monitor for updates.

CVE-2026-24325

SAP BusinessObjects Enterprise does not sufficiently encode user-controlled inputs, leading to Stored Cross-Site Scripting XSS vulnerability. This enables an admin user to inject malicious JavaScript into a website and the injected script gets executed when the user visits the compromised page.Th...

CVE-2025-9981 Multiple Stored XSS in QuickCMS

QuickCMS is vulnerable to multiple Stored XSS in slider editor functionality sliders-form. Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed on every page. By default admin user is not able to add JavaScript into the website. T...

EUVD-2021-22913

Malware in sbrugna...

EUVD-2017-7364

Malware in sbrugna...

EUVD-2018-10853

Malware in sbrugna...

EUVD-2009-2844

Malware in sbrugna...

EUVD-2019-19265

Malware in sbrugna...

EUVD-2008-6727

Malware in sbrugna...

EUVD-2022-41596

Malicious code in bioql PyPI...

EUVD-2022-3727

Malicious code in bioql PyPI...

EUVD-2023-31786

Malicious code in bioql PyPI...