CVE-2025-36410

CVE-2025-36410 affects IBM ApplinX 11.1. An authenticated user could perform unauthorized administrative actions on the server due to server-side enforcement of client-side security. The Red Hat, CIRCL, NVD, and IBM bulletin entries corroborate the same description and indicate the issue resides ...

CVE-2025-36410

IBM ApplinX 11.1 could allow an authenticated user to perform unauthorized administrative actions on the server due to server-side enforcement of client-side security...

SUSE CVE-2026-23534

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the ClearCodec bands decode path when crafted band coordinates allow writes past the end of the destination surface buffer. A malicious server can trigger a...

PT-2026-3626

IBM ApplinX 11.1 could allow an authenticated user to perform unauthorized administrative actions on the server due to server-side enforcement of client-side security...

UBUNTU-CVE-2026-23533

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the RDPGFX ClearCodec decode path when maliciously crafted residual data causes out-of-bounds writes during color output. A malicious server can trigger a...

Apache Kyuubi Directory Traversal Vulnerability

Apache Kyuubi is a distributed SQL gateway from the Apache Foundation. Apache Kyuubi suffers from a directory traversal vulnerability that originates from a client-side bypass of server-side configuration, which can be exploited by an attacker to cause access to unauthorized local files...

EUVD-2026-3143

The Spin Wheel plugin for WordPress is vulnerable to client-side prize manipulation in all versions up to, and including, 2.1.0. This is due to the plugin trusting client-supplied prize selection data without server-side validation or randomization. This makes it possible for unauthenticated...

PT-2026-3351

The Spin Wheel plugin for WordPress is vulnerable to client-side prize manipulation in all versions up to, and including, 2.1.0. This is due to the plugin trusting client-supplied prize selection data without server-side validation or randomization. This makes it possible for unauthenticated...

CVE-2026-0629 Authentication Bypass in Password Recovery Feature via Local Web App on Multiple VIGI Cameras

Authentication bypass in the password recovery feature of the local web interface across multiple VIGI camera models allows an attacker on the LAN to reset the admin password without verification by manipulating client-side state. Attackers can gain full administrative access to the device,...

CVE-2026-0696

In ConnectWise PSA versions older than 2026.1, certain session cookies were not set with the HttpOnly attribute. In some scenarios, this could allow client-side scripts access to session cookie values...

CVE-2026-0696 Session Cookies Missing HttpOnly Attribute

In ConnectWise PSA versions older than 2026.1, certain session cookies were not set with the HttpOnly attribute. In some scenarios, this could allow client-side scripts access to session cookie values...

CVE-2025-62291

In the eap-mschapv2 plugin client-side in strongSwan before 6.0.3, a malicious EAP-MSCHAPv2 server can send a crafted message of size 6 through 8, and cause an integer underflow that potentially results in a heap-based buffer overflow...

PT-2026-3252

Name of the Vulnerable Software and Affected Versions ConnectWise PSA versions prior to 2026.1 Description Certain session cookies were not configured with the HttpOnly attribute in affected versions. This could potentially allow client-side scripts to access session cookie values. Recommendation...

CVE-2026-22787

html2pdf.js converts any webpage or element into a printable PDF entirely client-side. Prior to 0.14.0, html2pdf.js contains a cross-site scripting XSS vulnerability when given a text source rather than an element. This text is not sufficiently sanitized before being attached to the DOM, allowing...

CVE-2026-20839

Improper access control in Windows Client-Side Caching CSC Service allows an authorized attacker to disclose information locally...

CVE-2026-22787

html2pdf.js converts any webpage or element into a printable PDF entirely client-side. Prior to 0.14.0, html2pdf.js contains a cross-site scripting XSS vulnerability when given a text source rather than an element. This text is not sufficiently sanitized before being attached to the DOM, allowing...

Cross-site Scripting (XSS)

Overview org.webjars.npm:html2pdf.js is a Client-side HTML-to-PDF rendering using pure JS Affected versions of this package are vulnerable to Cross-site Scripting XSS via the html2pdf function when processing unsanitized text not element sources. An attacker can execute arbitrary scripts in the...

Cross-site Scripting (XSS)

Overview html2pdf.js is a Client-side HTML-to-PDF rendering using pure JS Affected versions of this package are vulnerable to Cross-site Scripting XSS via the html2pdf function when processing unsanitized text not element sources. An attacker can execute arbitrary scripts in the context of the...

CVE-2026-22787

CVE-2026-22787 affects html2pdf.js. Prior to version 0.14.0, passing a text source (not an element) could trigger an XSS because the text wasn’t sufficiently sanitized before attaching to the DOM. The vulnerability is limited to client-side rendering of HTML-to-PDF via html2pdf.js, with potential...

EUVD-2026-2450

html2pdf.js converts any webpage or element into a printable PDF entirely client-side. Prior to 0.14.0, html2pdf.js contains a cross-site scripting XSS vulnerability when given a text source rather than an element. This text is not sufficiently sanitized before being attached to the DOM, allowing...