CVE-2026-0512

Due to a Cross-Site Scripting XSS vulnerability in the SAP Supplier Relationship Management SICF Handler in SRM Catalog, an unauthenticated attacker could craft a malicious URL, that if accessed by a victim, results in execution of malicious content within the victim's browser. This could allow t...

EUVD-2026-22156

SAP BusinessObjects Business Intelligence application allows an authenticated attacker to inject malicious JavaScript payloads through crafted URLs. When a victim accesses the URL, the script executes in the user�s browser, potentially exposing restricted information. This results in a low impact...

CVE-2026-27674 Code Injection vulnerability in SAP NetWeaver Application Server Java (Web Dynpro Java)

Due to a Code Injection vulnerability in SAP NetWeaver Application Server Java Web Dynpro Java, an unauthenticated attacker could supply crafted input that is interpreted by the application and causes it to reference attacker-controlled content. If a victim accesses the affected functionality, th...

CVE-2026-27674 Code Injection vulnerability in SAP NetWeaver Application Server Java (Web Dynpro Java)

Due to a Code Injection vulnerability in SAP NetWeaver Application Server Java Web Dynpro Java, an unauthenticated attacker could supply crafted input that is interpreted by the application and causes it to reference attacker-controlled content. If a victim accesses the affected functionality, th...

PT-2026-32554

Name of the Vulnerable Software and Affected Versions SAP NetWeaver Application Server Java Web Dynpro Java affected versions not specified Description A code injection issue in the Web Dynpro Java component allows an unauthenticated attacker to provide crafted input that the application interpre...

PT-2026-32561

SAP BusinessObjects Business Intelligence application allows an authenticated attacker to inject malicious JavaScript payloads through crafted URLs. When a victim accesses the URL, the script executes in the user�s browser, potentially exposing restricted information. This results in a low impact...

GHSA-9PR4-RF97-79QH Note Mark has Stored XSS via Unrestricted Asset Upload

Summary A stored same-origin XSS vulnerability allows any authenticated user to upload an HTML, SVG, or XHTML file as a note asset and have it executed in a victim’s browser under the application’s origin. Because the application serves these files inline without a safe content type and without...

CVE-2026-6179

Stored Cross Site Scripting in NightWolf Penetration Testing Platform allows attack trigger and run malicious script in user's browser...

CVE-2026-6179 Stored Cross Site Scripting in NightWolf Penetration Testing Platform

Stored Cross Site Scripting in NightWolf Penetration Testing Platform allows attack trigger and run malicious script in user's browser...

CVE-2026-6179

CVE-2026-6179 concerns a stored cross-site scripting (XSS) vulnerability in NightWolf Penetration Testing Platform. The affected entry states that an attacker can trigger and run malicious script in a user’s browser due to a stored XSS flaw, enabling impact on user-side confidentiality and integr...

Totara LMS 安全漏洞

Totara LMS is an learning management system provided by the Totara company. Versions of Totara LMS prior to v19.1.5 contained security vulnerabilities. These vulnerabilities were caused by HTML injection, which could allow attackers to send malicious HTML code to all users, thereby hijacking...

CVE-2026-27787

Cross-site scripting vulnerability exists in MATCHA SNS 1.3.9 and earlier. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the website using the product...

CVE-2025-66486

IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site...

CVE-2025-66486

IBM Aspera Shares is affected by CVE-2025-66486, an HTML injection (XSS) vulnerability in the web UI. The bulletin lists affected versions 1.9.9 through 1.11.0, with remediation via IBM Aspera Shares 1.11.1 (Windows and Linux). Impact is web-based code execution within the hosting site’s context ...

EUVD-2026-17939

A vulnerability in the web-based management interface of Cisco IMC could allow an authenticated, remote attacker with administrative privileges to conduct a stored XSS attack against a user of the interface. This vulnerability is due to insufficient validation of user input. An attacker could...

CVE-2026-20915 Stored cross-site scripting in Pending Changes sidebar

Stored cross-site scripting XSS in Checkmk version 2.5.0 beta before 2.5.0b2 allows authenticated users with permission to create pending changes to inject malicious JavaScript into the Pending Changes sidebar, which will execute in the browsers of other users viewing the sidebar...

CVE-2026-33653

Ulloady is a file uploader script with multi-file upload support. A Stored Cross-Site Scripting XSS vulnerability exists in versions prior to 3.1.2 due to improper sanitization of filenames during the file upload process. An attacker can upload a file with a malicious filename containing JavaScri...

Cross-site Scripting (XSS)

Overview n8n is a n8n Workflow Automation Tool Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Credential Management Flow when a crafted OAuth2 credential contains a JavaScript URL in the Authorization URL field. An attacker can execute arbitrary scripts in th...

CVE-2026-32859

ByteDance Deer-Flow is affected by a stored XSS in the artifacts API for versions prior to commit 5dbb362. An attacker can upload malicious HTML/script content as artifacts, causing the browser to execute scripts when users view artifacts, potentially leading to session compromise and credential ...

Cross-site Scripting (XSS)

Overview @orpc/openapi is a Affected versions of this package are vulnerable to Cross-site Scripting XSS in the generation of OpenAPI documentation. An attacker can execute arbitrary JavaScript in the context of the user's browser by injecting malicious payloads into controllable fields within th...