2403 matches found
PT-2026-25597
Improper authorization in Settings prior to SMR Mar-2026 Release 1 allows local attacker to disable configuring the background data usage of application...
CVE-2026-31873 Unhead has a Bypass of URI Scheme Sanitization in makeTagSafe via Case-Sensitivity
Unhead is a document head and template manager. Prior to 2.1.11, The link.href check in makeTagSafe safe.ts uses String.includes, which is case-sensitive. Browsers treat URI schemes case-insensitively. DATA:text/css,... is the same as data:text/css,... to the browser, but 'DATA:...'.includes'data...
MAL-2026-1371 Malicious code in collecters (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 c17c6bb947662d942c27cdf7ca9572536ea97f7864070648eb417277cad2e71e Packages contain hidden code that is effectively run during importing or using the library, and downloads second stage code. Then, a process running in...
CVE-2026-3969 FeMiner wms Basic Organizational Structure depart_add_bg.php sql injection
A vulnerability was detected in FeMiner wms up to 1.0. This impacts an unknown function of the file /wms-master/src/basic/depart/departaddbg.php of the component Basic Organizational Structure Module. Performing a manipulation of the argument Name results in sql injection. The attack may be...
FeMiner wms SQL注入漏洞
FeMiner wms is a repository management system developed by FeMiner’s individual developers in China. Versions of FeMiner wms prior to version 1.0 contained an SQL injection vulnerability. This vulnerability stemmed from incorrect handling of parameters named “Name” in the file...
Malicious code in collectables (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 e007c43e26edb912325f1478ec6cd5cd838b5d7e5ae62beedd3baa02638b3dc4 Packages contain hidden code that is effectively run during importing or using the library, and downloads second stage code. Then, a process running in...
MAL-2026-1342 Malicious code in collectables (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 e007c43e26edb912325f1478ec6cd5cd838b5d7e5ae62beedd3baa02638b3dc4 Packages contain hidden code that is effectively run during importing or using the library, and downloads second stage code. Then, a process running in...
Malicious code in collects (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 fc7f98d0c4c092f4eb4a73240f8c7a5df90717853ee408fefa9eeb09a41d2cae Packages contain hidden code that is effectively run during importing or using the library, and downloads second stage code. Then, a process running in...
MAL-2026-1341 Malicious code in collects (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 fc7f98d0c4c092f4eb4a73240f8c7a5df90717853ee408fefa9eeb09a41d2cae Packages contain hidden code that is effectively run during importing or using the library, and downloads second stage code. Then, a process running in...
EUVD-2026-11111
The Astra theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ast-page-background-meta and ast-content-background-meta post meta fields in all versions up to, and including, 4.12.3. This is due to insufficient input sanitization on meta registration and missing output escapin...
CVE-2026-3534
The Astra theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ast-page-background-meta and ast-content-background-meta post meta fields in all versions up to, and including, 4.12.3. This is due to insufficient input sanitization on meta registration and missing output escapin...
CVE-2026-3534 Astra <= 4.12.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Meta
The Astra theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ast-page-background-meta and ast-content-background-meta post meta fields in all versions up to, and including, 4.12.3. This is due to insufficient input sanitization on meta registration and missing output escapin...
CVE-2026-3534
The Astra theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ast-page-background-meta and ast-content-background-meta post meta fields in all versions up to, and including, 4.12.3. This is due to insufficient input sanitization on meta registration and missing output escapin...
CVE-2026-3534 Astra <= 4.12.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Meta
The Astra theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ast-page-background-meta and ast-content-background-meta post meta fields in all versions up to, and including, 4.12.3. This is due to insufficient input sanitization on meta registration and missing output escapin...
PT-2026-24590
🚨 CVE-2026-3534 The Astra theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ast-page-background-meta and ast-content-background-meta post meta fields in all versions up to, and including, 4.12.3. This is due to insufficient input sanitization on meta registration and missin...
ROS-20260310-73-0037
A vulnerability in the Background Fetch API of the Google Chrome browser is related to errors in the implementation of security checks for standard elements. Exploitation of the vulnerability allows an attacker acting remotely to disclose protected information using a specially crafted HTML page...
Malicious code in cpucheck (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 5c9d20d009145b270e9b9f2bb73540bb7484845f0cbe9c73f4cf20cc28f776c9 Importing the module starts a silent cryptocurrency mining in the background for a hardcoded wallet. --- Category: MALICIOUS - The campaign has clearly malicio...
MAL-2026-1281 Malicious code in pyutils-helper (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 8b1055c03077c874d21f69aa9403cebd070e2b7398e27b44310c977219bc0e7a Importing the module starts a silent cryptocurrency mining in the background for a hardcoded wallet. --- Category: MALICIOUS - The campaign has clearly malicio...
Nextcloud: Unquoted body background attribute enables CSS injection that bypasses remote image blocking
A vulnerability was discovered in Roundcube's HTML sanitizer that enabled CSS injection when the allowremote option was set to false. The sanitizer failed to quote the value of the background attribute from the email's element, allowing a crafted data: URI to terminate the url function and inject...
CVE-2025-68467
Dark Reader is an accessibility browser extension that makes web pages colors dark. The dynamic dark mode feature of the extension works by analyzing the colors of web pages found in CSS style sheet files. In order to analyze cross-origin style sheets stored on websites different from the origina...