GHSA-W42G-JJ8W-FJ77 phpMyFAQ: Stored XSS via Utils::parseUrl() in comment rendering

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl that allows authenticated users to inject JavaScript via malformed URLs in comments. Attackers can craft URLs with unescaped quotes to inject event handlers, stealing admin session cookies and achieving...

PT-2026-41369

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl that allows authenticated users to inject JavaScript via malformed URLs in comments. Attackers can craft URLs with unescaped quotes to inject event handlers, stealing admin session cookies and achieving...

CI4MS Vulnerable to Post-Installation Re-entry via Cache-Dependent Install Guard Bypass

Summary The install route guard in ci4ms relies solely on a volatile cache check cache'settings' combined with .env file existence to block post-installation access to the setup wizard. When the database is temporarily unreachable during a cache miss TTL expiry or admin-triggered cache clear, the...

CVE-2026-33735

MyTube is affected by an authorization bypass in the /api/settings/import-database endpoint (and related POST routes) that lets low-privilege attackers upload and replace the application’s SQLite database, enabling full compromise. The issue precedes version 1.8.69, which contains the fix. Impact...

CVE-2026-33735 MyTube has an Improper Access Control that Allows Complete Application Takeover

MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.69, an authorization bypass in the /api/settings/import-database endpoint allows attackers with low-privilege credentials to upload and replace the application's SQLite database entirely, leading to a fu...

EUVD-2026-10869

Parse Server missing audience validation in Keycloak authentication adapter...

EUVD-2026-10868

Parse Server missing audience validation in Keycloak authentication adapter...

CVE-2026-30949

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.5 and 8.6.18, the Keycloak authentication adapter does not validate the azp authorized party claim of Keycloak access tokens against the configured client-id. A valid acces...

EUVD-2019-3039

Malware in sbrugna...

EUVD-2020-23335

Malware in sbrugna...

EUVD-2020-23337

Malware in sbrugna...

CVE-2025-49126

Visionatrix is an AI Media processing tool using ComfyUI. In versions 1.5.0 to before 2.5.1, the /docs/flows endpoint is vulnerable to a Reflected XSS Cross-Site Scripting attack allowing full takeover of the application and exfiltration of secrets stored in the application. The implementation us...

CVE-2025-49126 Visionatrix Vulnerable to Reflected XSS Leading to Exfiltration of Secrets

Visionatrix is an AI Media processing tool using ComfyUI. In versions 1.5.0 to before 2.5.1, the /docs/flows endpoint is vulnerable to a Reflected XSS Cross-Site Scripting attack allowing full takeover of the application and exfiltration of secrets stored in the application. The implementation us...

CVE-2025-49126

Visionatrix is affected by a Reflected XSS in versions 1.5.0–2.5.0 (fixed in 2.5.1) via the "/docs/flows" endpoint. The root cause is the use of FastAPI’s get_swagger_ui_html without encoding or sanitizing user-controlled arguments, which is used to render the swagger docs. The vulnerability enab...

CVE-2025-49126 Visionatrix Vulnerable to Reflected XSS Leading to Exfiltration of Secrets

Visionatrix is an AI Media processing tool using ComfyUI. In versions 1.5.0 to before 2.5.1, the /docs/flows endpoint is vulnerable to a Reflected XSS Cross-Site Scripting attack allowing full takeover of the application and exfiltration of secrets stored in the application. The implementation us...

CVE-2020-35676

BigProf Online Invoicing System before 3.1 fails to correctly sanitize an XSS payload when a user registers using the self-registration functionality. As such, an attacker can input a crafted payload that will execute upon the application's administrator browsing the registered users' list. Once...

CVE-2020-35674

BigProf Online Invoicing System before 2.9 suffers from an unauthenticated SQL Injection found in /membershippasswordReset.php the endpoint that is responsible for issuing self-service password resets. An unauthenticated attacker is able to send a request containing a crafted payload that can...

CVE-2024-30143

HCL AppScan Traffic Recorder fails to adequately neutralize special characters within the filename, potentially allowing it to resolve to a location beyond the restricted directory. Potential exploits can completely disrupt or takeover the application or the computer where the application is...

CVE-2024-30143

CVE-2024-30143 describes a path traversal vulnerability in the HCL AppScan Traffic Recorder. The root cause is failure to adequately neutralize special characters in filenames, which could allow resolution beyond restricted directories and potentially enable disruption or takeover of the applicat...

CVE-2024-30143 A path traversal vulnerability in HCL AppScan Traffic Recorder

HCL AppScan Traffic Recorder fails to adequately neutralize special characters within the filename, potentially allowing it to resolve to a location beyond the restricted directory. Potential exploits can completely disrupt or takeover the application or the computer where the application is...