CVE-2026-43935

e107 is a content management system CMS. Prior to 2.3.4, a Host Header Injection vulnerability in the password reset page allows attackers to manipulate the Host header to generate password reset links pointing to attacker-controlled domains. This can lead to phishing attacks, account takeover, o...

EUVD-2026-22293

Claude Code has a Domain Validation Bypass which Allows Automatic Requests to Attacker-Controlled Domains...

EUVD-2026-10423

flarum/nicknames extension has display name injection in notification emails autolink & markdown...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the notification email process. An attacker can mislead recipients into visiting attacker-controlled domains by setting a specially crafted nickname that is rendered as a clickable link in notification email...

Flarum 安全漏洞

Flarum is an open-source forum software developed by Flarum for building communities. There is a security vulnerability in Flarum. This vulnerability arises when the flarum/nicknames extension is enabled, allowing registered users to set their nicknames as strings that can be interpreted by email...

CVE-2026-24052

Summary: CVE-2026-24052 affects Claude Code prior to 1.0.111, where URL validation in the trusted-domain check for WebFetch used a startsWith() approach, allowing crafted domains (e.g., modelcontextprotocol.io.example.com) to bypass validation and potentially cause automatic requests to attacker‑...

GHSA-VHW5-3G5M-8GGF Claude Code has a Domain Validation Bypass which Allows Automatic Requests to Attacker-Controlled Domains

Claude Code contained insufficient URL validation in its trusted domain verification mechanism for WebFetch requests. The application used a startsWith function to validate trusted domains e.g., docs.python.org, modelcontextprotocol.io, this could have enabled attackers to register domains like...

CVE-2025-62428 Drawing-Captcha APP Host Header Injection in `/register` and `/confirm-email` Endpoints

Drawing-Captcha APP provides interactive, engaging verification for Web-Based Applications. The vulnerability is a Host Header Injection in the /register and /confirm-email endpoints. It allows an attacker to manipulate the Host header in HTTP requests to generate malicious email confirmation...

CVE-2025-31326 HTML Injection vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence)

SAP�BusinessObjects Business�Intelligence Platform Web Intelligence is vulnerable to HTML Injection, allowing an attacker with basic user privileges to inject malicious code into specific input fields. This could lead to unintended redirects or manipulation of application behavior, such as...

CVE-2025-31326 HTML Injection vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence)

SAP�BusinessObjects Business�Intelligence Platform Web Intelligence is vulnerable to HTML Injection, allowing an attacker with basic user privileges to inject malicious code into specific input fields. This could lead to unintended redirects or manipulation of application behavior, such as...

Open Redirection

n8n is vulnerable to Open Redirection. The vulnerability is due to improper validation of redirect URLs due to the login flow accepting untrusted redirect query parameters, allowing redirection to attacker-controlled domains...

📄 Plane 0.23.1 Server-Side Request Forgery

Plane version 0.23.1 suffers from a server-side request forgery vulnerability. Exploit Title: Plane - Server side request forgery SSRF Date: 2024-01-13 Exploit Author: Saud Alenazi Vendor Homepage: https://plane.so Software Link: https://github.com/makeplane/plane/releases/tag/v0.23.1 Version:...

VMware SD-WAN Orchestrator 安全漏洞

VMware SD-WAN Orchestrator is a software from VMware that is used to orchestrate network data flows in a software-defined network architecture. The software provides web pages to visualize and manage users, gateways, and authentication. A security vulnerability exists in VMware SD-WAN Orchestrato...

UBUNTU-CVE-2018-20071

Insufficiently strict origin checks during JIT payment app installation in Payments in Google Chrome prior to 70.0.3538.67 allowed a remote attacker to install a service worker for a domain that can host attacker controled files via a crafted HTML page...