Lucene search
K

1265 matches found

OSV
OSV
added 2026/04/01 12:14 a.m.5 views

GHSA-JJF9-W5VJ-R6VP Ash.Type.Module.cast_input/2 atom exhaustion via unchecked Module.concat allows BEAM VM crash

Summary Ash.Type.Module.castinput/2 unconditionally creates a new Erlang atom via Module.concatvalue for any user-supplied binary string that starts with "Elixir.", before verifying whether the referenced module exists. Because Erlang atoms are never garbage-collected and the BEAM atom table has ...

8.2CVSS6AI score0.00423EPSS
Exploits1References5
Positive Technologies
Positive Technologies
added 2026/04/01 12:0 a.m.10 views

PT-2026-29495

Summary Ash.Type.Module.cast input/2 unconditionally creates a new Erlang atom via Module.concatvalue for any user-supplied binary string that starts with "Elixir.", before verifying whether the referenced module exists. Because Erlang atoms are never garbage-collected and the BEAM atom table has...

8.2CVSS6AI score0.00423EPSS
Exploits1References7
RedhatCVE
RedhatCVE
added 2026/03/26 3:10 p.m.5 views

CVE-2026-32986

Textpattern CMS version 4.9.0 contains a second-order cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting improper sanitization of user-supplied input in Atom feed XML elements. Attackers can embed unescaped payloads in parameters such as category th...

6.1CVSS5.7AI score0.0016EPSS
Exploits1References1
EUVD
EUVD
added 2026/03/20 6:31 p.m.3 views

EUVD-2026-13724

A Second-Order Cross-Site Scripting XSS vulnerability exists in Textpattern CMS version 4.9.0 due to improper sanitization and contextual encoding of user-supplied input embedded within Atom feed XML elements. User-controlled parameters e.g., category are reflected into Atom fields such as and...

6.1CVSS6.1AI score0.0016EPSS
Exploits1References3
NVD
NVD
added 2026/03/20 4:16 p.m.5 views

CVE-2026-32986

Textpattern CMS version 4.9.0 contains a second-order cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting improper sanitization of user-supplied input in Atom feed XML elements. Attackers can embed unescaped payloads in parameters such as category th...

6.1CVSS0.0016EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/03/20 3:42 p.m.24 views

CVE-2026-32986 Textpattern CMS 4.9.0: Second-Order XSS via Atom Feed Injection

Textpattern CMS version 4.9.0 contains a second-order cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting improper sanitization of user-supplied input in Atom feed XML elements. Attackers can embed unescaped payloads in parameters such as category th...

6.1CVSS0.0016EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/03/20 3:42 p.m.4 views

CVE-2026-32986 Textpattern CMS 4.9.0: Second-Order XSS via Atom Feed Injection

Textpattern CMS version 4.9.0 contains a second-order cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting improper sanitization of user-supplied input in Atom feed XML elements. Attackers can embed unescaped payloads in parameters such as category th...

6.1CVSS5.7AI score0.0016EPSS
Exploits1References2
CVE
CVE
added 2026/03/20 3:42 p.m.10 views

CVE-2026-32986

Textpattern CMS 4.9.0 is affected by a Second-Order XSS in Atom feed handling. User-controlled parameters (e.g., category) can be reflected into Atom fields like and without proper XML escaping, and the payload may execute when the feed is consumed by HTML-based readers or CMS aggregators that ...

6.1CVSS5.7AI score0.0016EPSS
Exploits1References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/03/20 3:42 p.m.3 views

CVE-2026-32986

Textpattern CMS version 4.9.0 contains a second-order cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting improper sanitization of user-supplied input in Atom feed XML elements. Attackers can embed unescaped payloads in parameters such as category th...

6.1CVSS5.7AI score0.0016EPSS
Exploits1References2Affected Software1
CNNVD
CNNVD
added 2026/03/20 12:0 a.m.10 views

Textpattern CMS 安全漏洞

Textpattern CMS is a content management system based on PHP developed by the Textpattern team. Version 4.9.0 of Textpattern CMS has a security vulnerability, which stems from improper user input handling in the Atom feed XML elements. This vulnerability could lead to second-degree cross-site...

6.1CVSS5.6AI score0.0016EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/03/20 12:0 a.m.5 views

PT-2026-26626

Textpattern CMS version 4.9.0 contains a second-order cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting improper sanitization of user-supplied input in Atom feed XML elements. Attackers can embed unescaped payloads in parameters such as category th...

6.1CVSS5.7AI score0.0016EPSS
Exploits1References6
Metasploit
Metasploit
added 2026/03/02 6:58 p.m.248 views

MajorDoMo Supply Chain RCE via Update Poisoning

This module exploits an unauthenticated remote code execution vulnerability in MajorDoMo's saverestore module via supply chain poisoning. The saverestore module's admin method is reachable without authentication through the /objects/?module=saverestore endpoint because usual calls admin directly...

9.8CVSS6.3AI score0.01086EPSS
Exploits4
Github Security Blog
Github Security Blog
added 2026/03/01 1:25 a.m.5 views

hex_core has Unsafe Deserialization of Erlang Terms

Impact The Hex client hexcore deserializes Erlang terms received from the Hex API using binarytoterm/1 without sufficient restrictions. If an attacker can control the HTTP response body returned by the Hex API, this allows denial-of-service attacks such as atom table exhaustion, leading to a VM...

7.5CVSS6.2AI score0.00576EPSS
Exploits0References8Affected Software1
OSV
OSV
added 2026/03/01 1:25 a.m.2 views

GHSA-HX9W-F2W9-9G96 hex_core has Unsafe Deserialization of Erlang Terms

Impact The Hex client hexcore deserializes Erlang terms received from the Hex API using binarytoterm/1 without sufficient restrictions. If an attacker can control the HTTP response body returned by the Hex API, this allows denial-of-service attacks such as atom table exhaustion, leading to a VM...

2CVSS6.2AI score0.00576EPSS
Exploits0References8
Packet Storm
Packet Storm
added 2026/02/26 12:0 a.m.128 views

📄 Textpattern 4.9.0 Cross Site Scripting

Textpattern version 4.9.0 suffers from a cross site scripting vulnerability. ============================================================================================================================================= | Title : Textpattern 4.9.0 Second-Order XSS via Atom Feed Injection | | Autho...

5AI score
Exploits0
RedhatCVE
RedhatCVE
added 2026/02/23 1:30 p.m.6 views

CVE-2026-27458

LinkAce is a self-hosted archive to collect website links. Versions 2.4.2 and below have a Stored Cross-site Scripting vulnerability through the Atom feed endpoint for lists /lists/feed. An authenticated user can inject a CDATA-breaking payload into a list description that escapes the XML CDATA...

8.7CVSS5.7AI score0.00218EPSS
Exploits1References1
NVD
NVD
added 2026/02/21 7:16 a.m.10 views

CVE-2026-27458

LinkAce is a self-hosted archive to collect website links. Versions 2.4.2 and below have a Stored Cross-site Scripting vulnerability through the Atom feed endpoint for lists /lists/feed. An authenticated user can inject a CDATA-breaking payload into a list description that escapes the XML CDATA...

8.7CVSS0.00218EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/02/21 6:54 a.m.4 views

CVE-2026-27458 LinkAce: Stored XSS in Atom Feed via CDATA Escape in List Description

LinkAce is a self-hosted archive to collect website links. Versions 2.4.2 and below have a Stored Cross-site Scripting vulnerability through the Atom feed endpoint for lists /lists/feed. An authenticated user can inject a CDATA-breaking payload into a list description that escapes the XML CDATA...

8.7CVSS5.8AI score0.00218EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/02/21 6:54 a.m.5 views

CVE-2026-27458

LinkAce is a self-hosted archive to collect website links. Versions 2.4.2 and below have a Stored Cross-site Scripting vulnerability through the Atom feed endpoint for lists /lists/feed. An authenticated user can inject a CDATA-breaking payload into a list description that escapes the XML CDATA...

8.7CVSS6AI score0.00218EPSS
Exploits1References3Affected Software1
Cvelist
Cvelist
added 2026/02/21 6:54 a.m.21 views

CVE-2026-27458 LinkAce: Stored XSS in Atom Feed via CDATA Escape in List Description

LinkAce is a self-hosted archive to collect website links. Versions 2.4.2 and below have a Stored Cross-site Scripting vulnerability through the Atom feed endpoint for lists /lists/feed. An authenticated user can inject a CDATA-breaking payload into a list description that escapes the XML CDATA...

8.7CVSS0.00218EPSS
Exploits1References2
Rows per page
Query Builder