CVE-2026-53693 MISP BSimVis stored cross-site scripting in tag and cluster rendering paths via unescaped tag metadata and UI labels

A stored cross-site scripting vulnerability existed in MISP BSimVis tag rendering code. Several client-side rendering paths interpolated tag names, collection names, entity identifiers, cluster names, and tag metadata directly into HTML, HTML attributes, inline JavaScript event handlers, and CSS...

CVE-2026-7299

Appsmith’s SQL query editor’s autocomplete functionality fails to sanitize database object names before rendering them in innerHTML, allowing an authenticated Developer to inject persistent XSS by a malicious table or column names triggering arbitrary code execution in the sessions of other...

CVE-2026-7299

Appsmith CVE-2026-7299 affects the SQL query editor autocomplete renderer, where unsanitized database object names rendered into innerHTML enable persistent XSS by a developer with access. This can execute arbitrary JavaScript in other workspace members’ sessions when interacting with the same da...

CVE-2026-7299 CVE-2026-7299

Appsmith’s SQL query editor’s autocomplete functionality fails to sanitize database object names before rendering them in innerHTML, allowing an authenticated Developer to inject persistent XSS by a malicious table or column names triggering arbitrary code execution in the sessions of other...

CVE-2026-7299

Appsmith’s SQL query editor’s autocomplete functionality fails to sanitize database object names before rendering them in innerHTML, allowing an authenticated Developer to inject persistent XSS by a malicious table or column names triggering arbitrary code execution in the sessions of other...

Appsmiths SQL Query autocomplete renderer contains a cross site scripting vulnerability

Overview A stored cross-site scripting XSS vulnerability has been discovered in Appsmith, specifically in the CodeMirror based SQL query editor’s autocomplete renderer. CVE-2026-7299 has been assigned to track the vulnerability. An attacker with developer level access to a shared PostgreSQL...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via unsinitised AJAX response in createAutocompleteWithRemoteData function. An attacker can execute arbitrary scripts in the context of the user's browser by injecting malicious input into an autocomplete widget...

Improper Neutralization of Special Elements in Data Query Logic

Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Data Query Logic in the EntitySearchUtil::addSearchClause function in the autocomplete endpoint. The endpoint constructs SQL query with LIKE expression without escaping the SQL LIKE wildcar...

symfony/ux-autocomplete Information exposure via unescaped LIKE wildcards in EntitySearchUtil

More info at https://github.com/symfony/ux/security/advisories/GHSA-946h-jp5c-8fvh...

symfony/ux-autocomplete XSS via unescaped AJAX response data

More info at https://github.com/symfony/ux/security/advisories/GHSA-mwqm-4fw3-cjvr...

Duplicate Advisory: OpenClaw: Discord Slash Commands Bypass Group DM Channel Allowlist

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rvvf-6vh3-9j43. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord slash command and autocomplete...

CVE-2026-41348

OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord slash command and autocomplete paths that fail to enforce group DM channel allowlist restrictions. Authorized Discord users can bypass channel restrictions by invoking slash commands, allowing access to restricted...

📄 FacturaScripts SQL Injection

FacturaScripts versions prior to 2025.81 suffer from a remote SQL injection vulnerability in the Autocomplete Actions functionality. CVE-2026-25514: FacturaScripts has SQL Injection in Autocomplete Actions Overview | Field | Details | |---|---| | CVE ID | CVE-2026-25514 | | Severity | HIGH | |...

Exploit for SQL Injection in Facturascripts

CVE-2026-25514: FacturaScripts has SQL Injection in Autocomple...

Incorrect Authorization

Overview @openclaw/discord is an OpenClaw Discord channel plugin Affected versions of this package are vulnerable to Incorrect Authorization in the Discord slash and autocomplete command handling process. An attacker can gain unauthorized access to group DM channels by bypassing the allowlist...

Exploit for CVE-2026-7299

CVE-2026-7299 - Appsmith 1.98 Stored XSS SQL Autocomplete inn...

CVE-2026-0748 Access bypass in Drupal 7 i18n_node translation UI

In the Drupal 7 Internationalization i18n module, the i18nnode submodule allows a user with both "Translate content" and "Administer content translations" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls an...

CVE-2026-31823

Sylius is an Open Source eCommerce Framework on Symfony. An authenticated stored cross-site scripting XSS vulnerability exists in multiple places across the shop frontend and admin panel due to unsanitized entity names being rendered as raw HTML. Shop breadcrumbs shared/breadcrumbs.html.twig: The...

MAL-2026-1597 Malicious code in @emerald-react/autocomplete (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f3769d592953bbc58c010ccd6832a0c93aa4464e302e8ed7214df4bd5be7c030 The package @emerald-react/autocomplete was found to contain malicious code...

Malicious code in @emerald-react/autocomplete (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f3769d592953bbc58c010ccd6832a0c93aa4464e302e8ed7214df4bd5be7c030 The package @emerald-react/autocomplete was found to contain malicious code...