Jenkins build-metrics 1.3 - Cross-Site Scripting

Jenkins build-metrics 1.3 is vulnerable to a reflected cross-site scripting vulnerability that allows attackers to inject arbitrary HTML and JavaScript into the web pages the plugin provides. id: CVE-2019-10475 info: name: Jenkins build-metrics 1.3 - Cross-Site Scripting author: madrobot severity...

CVE-2026-11357 Kadence Blocks <= 3.7.5 - Authenticated (Contributor+) Sensitive Information Exposure via Block Editor proData Localization

The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.7.5 via the editorassetsvariables. This makes it possible for authenticated attackers, with contributor-level access and abov...

Siemens RUGGEDCOM RST2428P Cross-site Scripting (CVE-2026-22610)

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0, a cross-site scripting XSS vulnerability has been identified in the Angular Template Compiler. The...

CVE-2026-44646

LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, Context.spawn creates a child Context for the % render % tag but does not propagate the parent context's resolved ownPropertyOnly value, resulting in a silent bypass. The new...

CVE-2026-53676

ThingsBoard contains a prototype pollution vulnerability which may lead to arbitrary code execution within a sandboxed context by a user who can log in to the affected product with the tenant administrator privilege TENANTADMIN...

CVE-2026-44646 LiquidJS: `{% render %}` tag silently bypasses per-render `ownPropertyOnly:true` via `Context.spawn()`

LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, Context.spawn creates a child Context for the % render % tag but does not propagate the parent context's resolved ownPropertyOnly value, resulting in a silent bypass. The new...

CVE-2026-44646

LiquidJS CVE-2026-44646: TheContext.spawn() path used by {% render %} creates a child Context without propagating the parent’s resolved ownPropertyOnly value, causing per-render overrides to be discarded inside partials. This enables prototype-chain property access in rendered partials when top-l...

EUVD-2026-36729

webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies...

CVE-2025-26240

In JazzCore python-pdfkit 1.0.0, the fromstring method enables the execution of JavaScript code within the context of the server application and the exfiltration of local files...

netty-resolver-dns: Netty: Information disclosure and data manipulation due to improper CNAME record validation

A flaw was found in Netty's DnsResolveContext. This vulnerability allows a remote attacker to achieve information disclosure or data manipulation by crafting malicious DNS responses. The flaw occurs because the DnsResolveContext fails to validate the origin bailiwick of CNAME records in DNS...

CGA-6WM4-684P-3CQ5

Bulletin has no description...

Bosch Security Systems IP Cameras Cross-site Scripting (CVE-2021-23848)

An error in the URL handler Bosch IP cameras may lead to a reflected cross site scripting XSS in the web-based interface. An attacker with knowledge of the camera address can send a crafted link to a user, which will execute javascript code in the context of the user. This plugin only works with...

MINI-JWPV-G2H7-5R29

Bulletin has no description...

CVE-2026-0127

The CVE-2026-0127 entry describes an out-of-bounds read caused by memory corruption in NrmmMsgCodec::DecodeUPUTransparentContext (cn_NrmmDecoder.cpp). This vulnerability allows a remote denial of service (communication processor crash) with no user interaction and requires network access (per CVS...

MINI-HJ58-QJWV-WCV3

Bulletin has no description...

CVE-2026-9507 Session fixation vulnerability in Enhancesoft's osTicket

A session fixation vulnerability has been identified in osTicket v1.18.2. This security flaw allows an attacker to hijack a victim’s account by keeping the initial session identifier OSTSESSID active after a successful login. The issue lies in the fact that the application does not invalidate the...

Apache ActiveMQ - Remote Code Execution

Improper Input Validation, Improper Control of Generation of Code 'Code Injection' vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations o...

Apache Log4j2 - Remote Code Injection

Apache Log4j2 Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations. id: CVE-2021-45046 info: name: Apache Log4j2 - Remote Code Injection author: ImNightmaree severity: critical description: Apache Log4j2 Thread Context Lookup Pattern is...

EUVD-2026-36924

Shop manager PHP Object Injection in CTX Feed = 6.6.26 versions...

CVE-2026-9595

Impact: When a user-configured proxy on webpack-dev-server has a broad context e.g. / and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin...