CVE-2026-41524

Brave CMS is an open-source CMS. Prior to commit 6c56603, page and article body content entered through the CKEditor rich-text editor is stored verbatim in the database and subsequently rendered with Laravel Blade's unescaped output directive !! !!. Any JavaScript or HTML injected by an editor-ro...

CVE-2026-25885

PolarLearn is a free and open-source learning program. In 0-PRERELEASE-16 and earlier, the group chat WebSocket at wss://polarlearn.nl/api/v1/ws can be used without logging in. An unauthenticated client can subscribe to any group chat by providing a group UUID, and can also send messages to any...

EUVD-2026-3209

HCL AION version 2 is affected by a Cacheable HTTP Response vulnerability. This may lead to unintended storage of sensitive or dynamic content, potentially resulting in unauthorized access or information disclosure...

CVE-2025-67711

There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser...

ChurchCRM Cross-Site Scripting Vulnerability (CNVD-2026-0535400)

ChurchCRM is an open source church management system. ChurchCRM suffers from a cross-site scripting vulnerability that stems from insufficient cleanup and coding when storing user-entered HTML/JS, which can be exploited by an attacker to execute arbitrary Web script or HTML by injecting a crafted...

CVE-2025-32019

Harbor is an open source trusted cloud native registry project that stores, signs, and scans content. Versions 2.11.2 and below, as well as versions 2.12.0-rc1 and 2.13.0-rc1, contain a vulnerability where the markdown field in the info tab page can be exploited to inject XSS code. This is fixed ...

Developers Insight on Manifest V3 Privacy and Security Webextensions

Webextensions can improve web browser privacy, security, and user experience. The APIs offered by the browser to webextensions affect possible functionality. Currently, Chrome transitions to a modified set of APIs called Manifest v3. This paper studies the challenges and opportunities of Manifest...

Craft CMS stores arbitrary content provided by unauthenticated users in session files

Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at...

CVE-2025-35939

Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at...

Field injection in the KirbyData text storage handler

TL;DR This vulnerability affects all Kirby sites that might have potential attackers in the group of authenticated Panel users or that allow external visitors to update a Kirby content file e.g. via a contact or comment form. Your Kirby sites are not affected if they don't allow write access for...

GHSA-X5MR-P6V4-WP93 Field injection in the KirbyData text storage handler

TL;DR This vulnerability affects all Kirby sites that might have potential attackers in the group of authenticated Panel users or that allow external visitors to update a Kirby content file e.g. via a contact or comment form. Your Kirby sites are not affected if they don't allow write access for...

Macromedia Flash Player 6.0.x Flash Cookie Predictable File Location Weakness

No description provided by source. source: http://www.securityfocus.com/bid/8900/info Macromedia Flash Player is reported to store Flash cookies .sol files in a predictable location on client systems. Other attacks are possible given the ability to store content on a system in a predictable...

Opera Stored Cross Site Scripting Vulnerability

====================================================== ================= = Opera Stored Cross Site Scripting Vulnerability = = Vendor Website: = http://www.opera.com = = Affected Version: = -- All desktop versions = = Public disclosure on 22nd October 2008 =...