CVE-2026-34803 Endian Firewall /manage/qos/classes/ name Stored Cross-Site Scripting

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting XSS via the name parameter to /manage/qos/classes/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page...

CVE-2026-34803

Endian Firewall versions 3.3.25 and earlier are affected by a stored XSS flaw in the name parameter of /manage/qos/classes/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page. Impact is limited to the described stored XSS...

CVE-2026-34803

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting XSS via the name parameter to /manage/qos/classes/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page...

Endian Firewall 跨站脚本漏洞

Endian Firewall is a network security firewall system from Endian. A cross-site scripting vulnerability exists in the Endian Firewall name parameter, which stems from improper cleanup of the name parameter input in /manage/qos/classes/, and can be exploited by an attacker to inject malicious...

Endian Firewall 跨站脚本漏洞

Endian Firewall is a network security firewall system from Endian. A cross-site scripting vulnerability exists in the Endian Firewall name parameter, which stems from improper cleanup of the name parameter input in /manage/qos/classes/, and can be exploited by an attacker to inject malicious...

CVE-2026-34455 Hi.Events: SQL Injection via Unvalidated sort_by Query Parameter in Multiple Repository Classes

Hi.Events is an open-source event management and ticket selling platform. From version 0.8.0-beta.1 to before version 1.7.1-beta, multiple repository classes pass the user-supplied sortby query parameter directly to Eloquent's orderBy without validation, enabling SQL injection. The application us...

OpenSTAManager Affected by Remote Code Execution via Insecure Deserialization in OAuth2

Description The oauth2.php file in OpenSTAManager is an unauthenticated endpoint $skippermissions = true. It loads a record from the zzoauth2 table using the attacker-controlled GET parameter state, and during the OAuth2 configuration flow calls unserialize on the accesstoken field without any...

CLSA-2026-1775033648 postgresql-jdbc: Fix of CVE-2022-21724

CVE-2022-21724: ensure arbitrary classes can't be passed instead of SocketFactory, SSLSocketFactory, CallbackHandler, HostnameVerifier - Restore testing from previous spec versions, exclude broken tests...

Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching

...

openSUSE 16 Security Update : salt (openSUSE-SU-2026:20412-1)

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20412-1 advisory. Changes in salt: - Security issues fixed: CVE-2025-67724: fixed missing validation of supplied reason phrase bsc1254903 CVE-2025-67725: fixed Do...

Deserialization Of Untrusted Data

Saloon is vulnerable to Deserialization Of Untrusted Data. The vulnerability is due to unsafe use of PHP’s unserialize with allowedclasses enabled when restoring OAuth token state, which allows an attacker to supply malicious serialized objects and trigger execution of arbitrary code via gadget...

UBUNTU-CVE-2026-33672

Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection vulnerability affecting the POSIXREGEXSOURCE object. Because the object inherits from Object.prototype, specially crafted POSIX bracket expressions e.g., :constructor: ca...

CVE-2026-33672

CVE-2026-33672 affects the Picomatch glob matcher used in JavaScript. The vulnerability stems from a method-injection in the POSIX_REGEX_SOURCE object, which inherits from Object.prototype. Attackers can craft POSIX bracket expressions (for example, [[:constructor:]]) that reference inherited met...

Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching

Impact picomatch is vulnerable to a method injection vulnerability CWE-1321 affecting the POSIXREGEXSOURCE object. Because the object inherits from Object.prototype, specially crafted POSIX bracket expressions e.g., :constructor: can reference inherited method names. These methods are implicitly...

SUSE CVE-2026-23923

An unauthenticated attacker can exploit the Frontend 'validate' action to blindly instantiate arbitrary PHP classes. The impact depends on environment setup but appears limited at this time...

Security update for salt

This update for salt fixes the following issues: Security issues fixed: CVE-2025-67724: Fixed missing validation of supplied reason phrase bsc1254903 CVE-2025-67725: Fixed DoS via malicious HTTP request bsc1254905 CVE-2025-67726: Fixed HTTP header parameter parsing algorithm bsc1254904...

SUSE-SU-2026:1030-1 Security update for salt

This update for salt fixes the following issues: - Security issues fixed: CVE-2025-67724: Fixed missing validation of supplied reason phrase bsc1254903 CVE-2025-67725: Fixed DoS via malicious HTTP request bsc1254905 CVE-2025-67726: Fixed HTTP header parameter parsing algorithm bsc1254904...

Security update for salt

This update for salt fixes the following issues: Security issues fixed: CVE-2025-67724: Fixed missing validation of supplied reason phrase bsc1254903 CVE-2025-67725: Fixed DoS via malicious HTTP request bsc1254905 CVE-2025-67726: Fixed HTTP header parameter parsing algorithm bsc1254904...

SUSE-SU-2026:1029-1 Security update for salt

This update for salt fixes the following issues: - Security issues fixed: CVE-2025-67724: Fixed missing validation of supplied reason phrase bsc1254903 CVE-2025-67725: Fixed DoS via malicious HTTP request bsc1254905 CVE-2025-67726: Fixed HTTP header parameter parsing algorithm bsc1254904...

SUSE-SU-2026:1028-1 Security update for salt

This update for salt fixes the following issues: - Security issues fixed: CVE-2025-67724: Fixed missing validation of supplied reason phrase bsc1254903 CVE-2025-67725: Fixed DoS via malicious HTTP request bsc1254905 CVE-2025-67726: Fixed HTTP header parameter parsing algorithm bsc1254904...