CVE-2026-42401

CVE-2026-42401 affects Kibana, where improper neutralization of input during web page generation (CWE-79) allows stored HTML injection. A user with write access to an Elasticsearch index can persist crafted markup that, when rendered in a Kibana view by another user, may not be sufficiently sanit...

OpenClaw 代码问题漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.4.14 had code vulnerabilities. These vulnerabilities stemmed from the browser SSRF policy, which allowed private network navigation by default. This configuration flaw could enabl...

CVE-2025-62320

HTML Injection can be carried out in Product when a web application does not properly check or clean user input before showing it on a webpage. Because of this, an attacker may insert unwanted HTML code into the page. When the browser loads the page, it may automatically interact with external...

Exposed Dangerous Method Or Function

MCP Gateway is vulnerable to Exposed Dangerous Method or Function. The vulnerability is due to lack of protection in SSE or streaming transport modes, which allows an attacker to exploit browser-based requests via a malicious website to interact with internal MCP servers...

PT-2026-26190

The /download endpoint validates only the initial URL provided by the user using validateDownloadURL to prevent requests to internal or private network addresses. Exploitation requires security.allowDownload=true, which is disabled by default. However, pages loaded by the embedded Chromium browse...

EUVD-2025-208779

HTML Injection can be carried out in Product when a web application does not properly check or clean user input before showing it on a webpage. Because of this, an attacker may insert unwanted HTML code into the page. When the browser loads the page, it may automatically interact with external...

CVE-2025-62320

HTML Injection can be carried out in Product when a web application does not properly check or clean user input before showing it on a webpage. Because of this, an attacker may insert unwanted HTML code into the page. When the browser loads the page, it may automatically interact with external...

PT-2026-21334

Name of the Vulnerable Software and Affected Versions Ray versions 2.53.0 and below Description Ray’s dashboard HTTP server does not adequately protect DELETE requests, and key DELETE endpoints are unauthenticated by default. If the dashboard/agent is reachable, a web page using DNS rebinding or...

CVE-2019-11628

An issue was discovered in QlikView Server before 11.20 SR19, 12.00 and 12.10 before 12.10 SR11, 12.20 before SR9, and 12.30 before SR2; and Qlik Sense Enterprise and Qlik Analytics Platform installations that lack these patch levels: February 2018 Patch 4, April 2018 Patch 3, June 2018 Patch 3,...

EUVD-2019-3298

Malware in sbrugna...

EUVD-2022-1226

Malicious code in bioql PyPI...

spring-security-oauth2-client: Privilege Escalation in spring-security-oauth2-client

A flaw was found in the Spring Security framework. Spring Security could allow a remote attacker to gain elevated privileges on the system. By modifying a request initiated by the Client via the browser to the Authorization Server, an attacker can gain elevated privileges on the system...

CVE-2021-27786

Cross-origin resource sharing CORS enables browsers to perform cross domain requests in a controlled manner. This request has an Origin header that identifies the domain that is making the initial request and defines the protocol between a browser and server to see if the request is allowed. An...

Cross-Site Scripting Vulnerability in Sentrifugo CMS

Sentrifugo is a human resource management system. The system includes functions for human resources management, performance appraisal, recruitment management and asset management. A cross-site scripting vulnerability exists in Sentrifugo CMS. An attacker can exploit the vulnerability by injecting...

Authentication flaw

For Eclipse Che versions 6.16 to 7.3.0, with both authentication and TLS disabled, visiting a malicious web site could trigger the start of an arbitrary Che workspace. Che with no authentication and no TLS is not usually deployed on a public network but is often used for local installations e.g. ...

PHPwind v9.1.0 - Multiple Cross Site Scripting Vulnerabilities

Document Title: =============== PHPwind v9.1.0 - Multiple Cross Site Scripting Vulnerabilities References Source: ==================== https://www.vulnerability-lab.com/getcontent.php?id=2184 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13472 CVE-ID: ======= CVE-2019-13472 Release Dat...

Shopify cross-site scripting vulnerability (CNVD-2018-11562)

Shopify is a Canadian business company headquartered in Ottawa, Ontario, Canada that develops computerized software point-of-sale systems for online stores and retailing. Shopify suffers from a cross-site scripting vulnerability that allows remote attackers to manipulate client applications to...

DEBIAN-CVE-2018-1099

DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An attacker can control his DNS records to direct to localhost, and trick the browser into sending requests to localhost or any other address...

Design/Logic Flaw

DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An attacker can control his DNS records to direct to localhost, and trick the browser into sending requests to localhost or any other address...

OpenJDK: insufficient checks of JDWP packets (Hotspot, 8159519)

It was discovered that the Hotspot component of OpenJDK did not properly check received Java Debug Wire Protocol JDWP packets. An attacker could possibly use this flaw to send debugging commands to a Java program running with debugging enabled if they could make victim's browser send HTTP request...