CVE-2026-46538 Microsoft UFO accepts cross-device TASK_END messages by session_id only, allowing peer task-result injection

Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO's constellation client tracks pending task responses by sessionid only and does not verify that a TASKEND message came from the device that originally received the task...

CVE-2026-40966

Spring AI vulnerability CVE-2026-40966: VectorStoreChatMemoryAdvisor allows cross-tenant exfiltration by injecting filter logic through a user-supplied conversationId, bypassing chat isolation. Affected: apps using VectorStoreChatMemoryAdvisor with conversationId from input. Impact: confidentiali...

BIT-GOLANG-2025-61730 Handshake messages may be processed at the incorrect encryption level in crypto/tls

During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries for instance the Client Hello and Encrypted Extensions messages, the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosu...

EUVD-2006-0610

Malware in sbrugna...

EUVD-2005-1970

Malware in sbrugna...

EUVD-2013-3572

Malware in sbrugna...

EUVD-2019-2184

Malware in sbrugna...

EUVD-2022-4255

Malicious code in bioql PyPI...

EUVD-2025-7660

Malicious code in bioql PyPI...

EUVD-2024-34299

Malicious code in bioql PyPI...

EUVD-2023-57908

Malicious code in bioql PyPI...

CVE-2025-54421 NamelessMC allows Stored Cross Site Scripting (XSS) in SEO component

NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Cross-site scripting XSS vulnerability in NamelessMC before 2.2.4 allows remote authenticated attackers to inject arbitrary web script or HTML via the defaultkeywords crafted parameter. This vulnerability is fixe...

CVE-2025-6563

A cross-site scripting vulnerability is present in the hotspot of MikroTik's RouterOS on versions below 7.19.2. An attacker can inject the javascript protocol in the dst parameter. When the victim browses to the malicious URL and logs in, the XSS executes. The POST request used to login, can also...

Stored Cross-site Scripting (XSS)

starcitizentools/citizen-skin is vulnerable to Stored Cross-site Scripting XSS. The vulnerability is due to the Citizen skin inserting short descriptions from the ShortDescription extension as raw HTML, which allows an attacker to inject arbitrary HTML into the DOM by editing a page...

PT-2025-27104 · Unknown · Mojoomla School Management

Name of the Vulnerable Software and Affected Versions: mojoomla School Management versions n/a through 92.0.0 Description: The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, which allows Reflected XSS. This enables potential...

CVE-2024-6391

The oik plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bwbutton shortcode in all versions up to, and including, 4.10.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, wi...

CVE-2023-6957

The Fluent Forms plugin for WordPress by Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 5.1.9 due to insufficient input sanitization and output escaping. This makes it possible for attackers to inject arbitrary web scripts in...

CVE-2021-40927

Cross-site scripting XSS vulnerability in callback.php in Spotify-for-Alfred 0.13.9 and below allows remote attackers to inject arbitrary web script or HTML via the error parameter...

CVE-2019-6835

A Cross-Site Scripting XSS CWE-79 vulnerability exists in U.motion Server MEG6501-0001 - U.motion KNX server, MEG6501-0002 - U.motion KNX Server Plus, MEG6260-0410 - U.motion KNX Server Plus, Touch 10, MEG6260-0415 - U.motion KNX Server Plus, Touch 15, which could allow an attacker to inject...

CVE-2019-6018

Cross-site scripting vulnerability in NetCommons 3.2.2 and earlier NetCommons3.x allows remote attackers to inject arbitrary web script or HTML via unspecified vectors...