CVE-2026-25117 pwn.college DOJO vulnerable to sandbox escape leading to arbitrary javascript execution

pwn.college DOJO is an education platform for learning cybersecurity. Prior to commit e33da14449a5abcff507e554f66e2141d6683b0a, missing sandboxing on /workspace/ routes allows challenge authors to inject arbitrary javascript which runs on the same origin as http://dojo.website. This is a sandbox...

DOJO Cross-Site Scripting Vulnerabilities

DOJO is a JavaScript toolkit open source by pwn.college. pwn.college’s DOJO has a cross-site scripting vulnerability; this vulnerability stems from the lack of sandbox isolation, which may lead to sandbox escape and arbitrary JavaScript execution...

PT-2026-5368

Name of the Vulnerable Software and Affected Versions pwn.college DOJO versions prior to commit e33da14449a5abcff507e554f66e2141d6683b0a Description A missing sandbox implementation on routes starting with /workspace/ allows challenge authors to inject arbitrary JavaScript code. This code execute...

Cross-site Scripting (XSS)

Overview nocodb is a NocoDB Affected versions of this package are vulnerable to Cross-site Scripting XSS via the SVG upload. An attacker can execute arbitrary JavaScript in the browsers of other users by uploading a crafted SVG file containing embedded scripts, which are rendered inline when...

CVE-2026-24348

Multiple cross-site scripting vulnerabilities in Admin UI of EZCast Pro II version 1.17478.146 allow attackers to execute arbitrary JavaScript code in the browser of other Admin UI users...

CVE-2026-0483

Stored Cross-Site Scripting XSS vulnerability in the PDF file upload functionality of Live Helper Chat, versions prior to 4.72. An attacker can upload a malicious PDF file containing an XSS payload, which will be executed in the user's context when they download and open the file via the link...

CVE-2026-24348

Multiple cross-site scripting vulnerabilities in Admin UI of EZCast Pro II version 1.17478.146 allow attackers to execute arbitrary JavaScript code in the browser of other Admin UI users...

CVE-2026-24348

Multiple cross-site scripting vulnerabilities in Admin UI of EZCast Pro II version 1.17478.146 allow attackers to execute arbitrary JavaScript code in the browser of other Admin UI users...

CVEs-huyle

CVE-2026-30139: Silverpeas Core Reflected XSS in AdvancedSearc...

PT-2026-4907

Name of the Vulnerable Software and Affected Versions EZCast Pro II version 1.17478.146 Description The Admin UI of EZCast Pro II contains cross-site scripting flaws. Successful exploitation allows attackers to execute arbitrary JavaScript code within the browser of other Admin UI users...

CVE-2020-36960

Forma LMS 2.3 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts into user profile first and last name fields. Attackers can craft scripts like '' to execute arbitrary JavaScript when the profile is viewed by other users...

CVE-2026-1429

CVE-2026-1429 concerns the WellChoose Single Sign-On Portal System, which is reported to have a Reflected Cross-site Scripting (XSS) vulnerability. The vulnerability allows authenticated remote attackers to cause the victim’s browser to execute arbitrary JavaScript via phishing-style input. The d...

MedDream PACS Premium Cross-Site Scripting Vulnerability (CNVD-2026-10669)

MedDream PACS Premium is an enterprise-class image storage and management server suite from MedDream. MedDream PACS Premium suffers from a cross-site scripting vulnerability that is caused by improper validation of user-supplied input by the Download Zip feature. An attacker could exploit the...

MedDream PACS Premium Cross-Site Scripting Vulnerability (CNVD-2026-10670)

MedDream PACS Premium is an enterprise-class image storage and management server suite from MedDream. MedDream PACS Premium suffers from a cross-site scripting vulnerability that is caused by improper validation of user-supplied input by the email failedjob feature. An attacker could exploit the...

MedDream PACS Premium Cross-Site Scripting Vulnerability (CNVD-2026-11737)

MedDream PACS Premium is an enterprise-class image storage and management server suite from MedDream. MedDream PACS Premium suffers from a cross-site scripting vulnerability that is caused by improper validation of user-supplied input by the modifyUser feature. An attacker could exploit the...

MedDream PACS Premium Cross-Site Scripting Vulnerability (CNVD-2026-10668)

MedDream PACS Premium is an enterprise-class image storage and management server suite from MedDream. A cross-site scripting vulnerability exists in MedDream PACS Premium and is caused by improper validation of user-supplied input by the Modify Anonymization feature. An attacker could exploit the...

Forma LMS cross-site scripting vulnerability

Forma LMS is an open-source learning management system developed by the Italian company Forma. Version 2.3 of Forma LMS contains a cross-site scripting vulnerability. This vulnerability stems from the storage-based cross-site scripting in the user name field, which may allow for the execution of...

CVE-2025-9289

A Cross-Site Scripting XSS vulnerability was identified in a parameter in Omada Controllers due to improper input sanitization. Exploitation requires advanced conditions, such as network positioning or emulating a trusted entity, and user interaction by an authenticated administrator. If...

CVE-2026-22793

5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Prior to version 0.15.3, an unsafe option parsing vulnerability in the ECharts Markdown plugin allows any user able to submit ECharts code blocks to execute arbitrary JavaScript code in the...

CVE-2025-67683 Reflected XSS in Quick.Cart

Quick.Cart is vulnerable to reflected XSS via the sSort parameter. An attacker can craft a malicious URL which, when opened, results in arbitrary JavaScript execution in the victim’s browser. The vendor was notified early about this vulnerability, but didn't respond with the details of...