CVE-2026-39415 Frappe Learning Management System has Client-Side Manipulation of Quiz Scores

Frappe Learning Management System LMS is a learning system that helps users structure their content. Prior to 2.46.0, a vulnerability has been identified in Frappe Learning where quiz scores can be modified by students before submission. The application currently relies on client-side calculated...

Cross-site Scripting (XSS)

Overview repostat is an A simple React component to fetch and display GitHub repository info Affected versions of this package are vulnerable to Cross-site Scripting XSS via the RepoCard component when untrusted input is passed to the repo prop and rendered using dangerouslySetInnerHTML without...

CVE-2023-31847

In davinci 0.3.0-rc after logging in, the user can connect to the mysql malicious server by controlling the data source to read arbitrary files on the client side...

EUVD-2025-202183

Legality WHISTLEBLOWING by DigitalPA contains a protection mechanism failure in which critical HTTP security headers are not emitted by default. Affected deployments omit Content-Security-Policy, Referrer-Policy, Permissions-Policy, Cross-Origin-Embedder-Policy, Cross-Origin-Opener-Policy, and...

Recent NPM package hack is an alarming reminder of the risks of website supply-chain fraud

There are over 1.8 billion websites online today. Almost 98% of them are powered by JavaScript, and for a good reason: JavaScript’s flexibility and portability enable the rich online functionality we’ve all come to know and love. But when that same functionality becomes a significant vector for...

foreman: the _session_id cookie is issued without the Secure flag

It was found that Foreman did not set the HttpOnly flag on session cookies. This could allow a malicious script to access the session cookie...