75 matches found
Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks
Threat actors are exploiting a recently disclosed critical security flaw in Ghost CMS to inject malicious JavaScript code with an aim to fuel ClickFix attacks. According to QiAnXin XLab, the activity involves the exploitation of CVE-2026-26980 CVSS score: 9.4, an SQL injection vulnerability in...
PT-2026-41688
Summary The custom html purify validation rule used to sanitize blog post bodies relies on by-reference mutation ?string &$str, but CodeIgniter 4's validator passes a local copy of the value, so the sanitized text is silently discarded. The Blog controller writes $lanData'content' directly into...
GHSA-W4RC-P66M-X6QQ Grav Form Plugin has an Anonymous Page Content Overwrite via Form File Upload filename Override
Summary Tested on Form 9.0.3 released on April, 28th The Form plugin's file upload handler at user/plugins/form/classes/Form.php:583 accepts a POST-supplied filename parameter $filename = $post'filename' ?? $upload'file''name' that overrides the original uploaded filename. The override passes...
CVE-2026-28736
Focalboard 8.0 is affected by an IDOR-like issue in the file content endpoint: it fails to validate ownership when serving uploaded files, enabling an authenticated user who knows a victim’s fileID to read that file’s content. The vulnerability stems from insufficient access checks for file retri...
Apple Multiple products Use-After-Free Vulnerability
Apple macOS, iOS, iPadOS, and Safari 16.6 contain a use-after-free vulnerability due to the processing of maliciously crafted web content that may lead to memory corruption...
CVE-2026-27742
Bludit version 3.16.2 contains a stored cross-site scripting XSS vulnerability in the post content functionality. The application performs client-side sanitation of content input but does not enforce equivalent sanitation on the server side. An authenticated user can inject arbitrary JavaScript...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in getContent in ActionReportResultHtmlProvider.java, which is accessible via the REST Management Interface. An attacker can cause an administrator to change the admin password by convincing them to follow a...
CVE-2009-4137
The loadContentFromCookie function in core/Cookie.php in Piwik before 0.5 does not validate strings obtained from cookies before calling the unserialize function, which allows remote attackers to execute arbitrary code or upload arbitrary files via vectors related to the destruct function in the...
CVE-2025-23642
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in pflonk Sidebar-Content from Shortcode sidebar-content-from-shortcode allows DOM-Based XSS.This issue affects Sidebar-Content from Shortcode: from n/a through = 2.0...
CVE-2025-43541
A type confusion issue was addressed with improved state handling. This issue is fixed in Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2. Processing maliciously crafted web content may lead to an unexpected Safari crash...
CVE-2025-43440
A flaw was found in WebKitGTK. Processing malicious web content can cause JIT issues due to improper checks and result in an unexpected process crash. Mitigation Do not process or load untrusted web content with WebKitGTK. In Red Hat Enterprise Linux 7, the following packages require WebKitGTK4:...
EUVD-2013-0937
Malware in sbrugna...
EUVD-2020-25090
Malware in sbrugna...
EUVD-2020-25132
Malware in sbrugna...
EUVD-2010-0149
Malware in sbrugna...
EUVD-2019-18209
Malware in sbrugna...
EUVD-2021-24943
Malware in sbrugna...
EUVD-2021-17766
Malware in sbrugna...
EUVD-2025-8981
Malicious code in bioql PyPI...
EUVD-2025-6145
Malicious code in bioql PyPI...