CVE-2021-47892

CVE-2021-47892 concerns PEEL Shopping 9.3.0 and a stored cross-site scripting vulnerability in the "Comments / Special Instructions" parameter of the purchase page. The issue allows injection of malicious JavaScript that is executed when the page is refreshed. The available connected sources clea...

CVE-2025-65098

Typebot is an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking "Run", JavaScript executes in their browser and exfiltrates their OpenAI key...

CVE-2026-1363

CVE-2026-1363 affects IAQS and I6 by JNC. The issue is described as a Client-Side Enforcement of Server-Side Security vulnerability that lets unauthenticated remote attackers manipulate the web front-end to gain administrator privileges. CVSS metrics indicate high impact to confidentiality, integ...

CVE-2026-1363

IAQS and I6 developed by JNC has a Client-Side Enforcement of Server-Side Security vulnerability, allowing unauthenticated remote attackers to gain administrator privileges by manipulating the web front-end...

CVE-2026-1363 JNC｜IAQS and I6 - Client-Side Enforcement of Server-Side Security

IAQS and I6 developed by JNC has a Client-Side Enforcement of Server-Side Security vulnerability, allowing unauthenticated remote attackers to gain administrator privileges by manipulating the web front-end...

CVE-2026-1363 JNC｜IAQS and I6 - Client-Side Enforcement of Server-Side Security

IAQS and I6 developed by JNC has a Client-Side Enforcement of Server-Side Security vulnerability, allowing unauthenticated remote attackers to gain administrator privileges by manipulating the web front-end...

EUVD-2026-4204

An Authorization Bypass Through User-Controlled Key vulnerability in Hubitat Elevation home automation controllers prior to version 2.4.2.157 could allow a remote authenticated user to control connected devices outside of their authorized scope via client-side request manipulation...

CVE-2025-69908

The CVE-2025-69908 entry concerns Newgen OmniApp, where an unauthenticated information disclosure vulnerability can enumerate valid privileged usernames through a publicly accessible client-side JavaScript resource. Affected component is the client-side JavaScript used by OmniApp; root cause is e...

PT-2026-4473

Name of the Vulnerable Software and Affected Versions Newgen OmniApp affected versions not specified Description An unauthenticated information disclosure issue exists in Newgen OmniApp. This allows attackers to identify valid privileged usernames through a publicly accessible client-side...

JS Secret Hunter 2

JS Secret Hunter is an advanced Python tool designed for security researchers to automate the detection of hardcoded secrets in client-side JavaScript. Unlike simple scanners, V2 includes a dynamic crawler that parses the HTML of the target website to extract all loaded JavaScript files...

PT-2026-4342

Name of the Vulnerable Software and Affected Versions IAQS and I6 affected versions not specified Description A security flaw exists in IAQS and I6 developed by JNC, allowing unauthenticated remote attackers to obtain administrator privileges. This is due to a client-side enforcement of server-si...

Newgen OmniApp security vulnerability

Newgen OmniApp is a mobile application development framework provided by the American company Newgen. Newgen OmniApp has a security vulnerability, which stems from the ability to enumerate valid privileged user names through publicly accessible client-side JavaScript resources, potentially leadin...

CVE-2026-1201

An Authorization Bypass Through User-Controlled Key vulnerability in Hubitat Elevation home automation controllers prior to version 2.4.2.157 could allow a remote authenticated user to control connected devices outside of their authorized scope via client-side request manipulation...

CVE-2026-1201

CVE-2026-1201 affects Hubitat Elevation hubs (pre-2.4.2.157). Root cause: an authorization bypass via user-controlled key that enables a remote authenticated user to manipulate client-side requests and control devices outside their authorized scope. Public documents from Red Hat and PT Security c...

CVE-2026-1201 Authorization Bypass Through User-Controlled Key in Hubitat Elevation Hubs

An Authorization Bypass Through User-Controlled Key vulnerability in Hubitat Elevation home automation controllers prior to version 2.4.2.157 could allow a remote authenticated user to control connected devices outside of their authorized scope via client-side request manipulation...

CVE-2026-1201 Authorization Bypass Through User-Controlled Key in Hubitat Elevation Hubs

An Authorization Bypass Through User-Controlled Key vulnerability in Hubitat Elevation home automation controllers prior to version 2.4.2.157 could allow a remote authenticated user to control connected devices outside of their authorized scope via client-side request manipulation...

Typebot affected by Credential Theft via Client-Side Script Execution and API Authorization Bypass

Summary Client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking "Run", JavaScript executes in their browser and exfiltrates their OpenAI keys, Google Sheets tokens, and SMTP passwords. The...

GHSA-4XC5-WFWC-JW47 Typebot affected by Credential Theft via Client-Side Script Execution and API Authorization Bypass

Summary Client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking "Run", JavaScript executes in their browser and exfiltrates their OpenAI keys, Google Sheets tokens, and SMTP passwords. The...

CVE-2025-68538 WordPress Craft | Coffee Shop Cafe Restaurant WordPress theme <= 2.3.6 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in ThemeGoods Craft craftcoffee allows DOM-Based XSS.This issue affects Craft: from n/a through = 2.3.6...

CVE-2025-65098

Typebot is an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking "Run", JavaScript executes in their browser and exfiltrates their OpenAI key...