SourceCodester Simple Customer Relationship Management System 代码注入漏洞

SourceCodester Simple Customer Relationship Management System is a simple customer relationship management system developed under open source by SourceCodester. Version 1.0 of the SourceCodester Simple Customer Relationship Management System contains a code injection vulnerability. This...

PT-2026-29685

A vulnerability was determined in SourceCodester Simple Customer Relationship Management System 1.0. This issue affects some unknown processing of the file /create-ticket.php of the component Create Ticket. This manipulation of the argument Description causes cross site scripting. Remote...

GHSA-R33W-C82V-X5V7 CI4MS: Blogs Posts (Categories) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

Summary Vulnerability: Blogs Posts Categories Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS - Stored Cross-Site Scripting via Unsanitized Blog Post Content in Blog Management Categories Description The application fails to properly sanitize user-controlled input wh...

CI4MS: Pages Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

Summary Vulnerability: Stored DOM XSS via Page Management Fields Persistent Payload Injection - Stored Cross-Site Scripting via Unsanitized Page Creation and Editing Inputs Description The application fails to properly sanitize user-controlled input within the Page Management functionality when...

@ainsleydev/payload-helper (>=0.0.16 <=0.0.20), @contentql/core (>=0.1.2 <=0.3.5) +2 more potentially affected by CVE-2026-34750 via @payloadcms/storage-s3 (>=3.0.0-beta.111 <=3.0.0-beta.91)

@payloadcms/storage-s3 NPM version =3.0.0-beta.111, =0.0.16, =0.1.2, =0.1.0, =0.1.4, =0.1.5 Source cves: CVE-2026-34750 Source advisory: OSV:GHSA-FRQ9-7J6G-V74X...

Directory Traversal

Overview sillytavern is a LLM Frontend for Power Users Affected versions of this package are vulnerable to Directory Traversal via the createRouteHandler function. An attacker can determine the existence of arbitrary files on the server's filesystem by sending specially crafted requests containin...

GHSA-6R7F-Q7F5-WPX8 Payload has Authenticated SSRF via Upload Functionality

Impact An authenticated Server-Side Request Forgery SSRF vulnerability existed in the upload functionality. Authenticated users with create or update access to an upload-enabled collection could cause the server to make outbound HTTP requests to arbitrary URLs. Consumers are affected if ALL of...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the admin panel when user-supplied content is saved in a collection with versions enabled. An attacker can execute arbitrary scripts in the context of another user's browser by submitting crafted input and...

Cross-site Scripting (XSS)

Overview @payloadcms/plugin-mcp is a MCP Model Context Protocol capabilities with Payload Affected versions of this package are vulnerable to Cross-site Scripting XSS in the admin panel when user-supplied content is saved in a collection with versions enabled. An attacker can execute arbitrary...

CVE-2026-5252

A security flaw has been discovered in z-9527 admin 1.0/2.0. Affected is an unknown function of the file /server/routes/message.js of the component Message Create Endpoint. Performing a manipulation results in cross site scripting. The attack can be initiated remotely. The exploit has been releas...

CVE-2026-5252

The CVE-2026-5252 entry concerns z-9527 admin 1.0/2.0 with a vulnerability in the Message Create Endpoint. Specifically, manipulation of an as-yet-unknown function in /server/routes/message.js can cause cross-site scripting. The flaw is remotely exploitable and an exploit is publicly available. T...

CVE-2026-5252 z-9527 admin Message Create Endpoint message.js cross site scripting

A security flaw has been discovered in z-9527 admin 1.0/2.0. Affected is an unknown function of the file /server/routes/message.js of the component Message Create Endpoint. Performing a manipulation results in cross site scripting. The attack can be initiated remotely. The exploit has been releas...

CVE-2026-5252 z-9527 admin Message Create Endpoint message.js cross site scripting

A security flaw has been discovered in z-9527 admin 1.0/2.0. Affected is an unknown function of the file /server/routes/message.js of the component Message Create Endpoint. Performing a manipulation results in cross site scripting. The attack can be initiated remotely. The exploit has been releas...

CVE-2026-5252

A security flaw has been discovered in z-9527 admin 1.0/2.0. Affected is an unknown function of the file /server/routes/message.js of the component Message Create Endpoint. Performing a manipulation results in cross site scripting. The attack can be initiated remotely. The exploit has been releas...

CVE-2026-33276

Stored cross-site scripting XSS in Checkmk 2.5.0 beta before 2.5.0b2 allows authenticated users with permission to create hosts or services to execute arbitrary JavaScript in the browsers of other users performing searches in the Unified Search feature...

UBUNTU-CVE-2026-33276

Stored cross-site scripting XSS in Checkmk 2.5.0 beta before 2.5.0b2 allows authenticated users with permission to create hosts or services to execute arbitrary JavaScript in the browsers of other users performing searches in the Unified Search feature...

CVE-2026-33276 XSS in Unified Search via Unescaped Host/Service Names

Stored cross-site scripting XSS in Checkmk 2.5.0 beta before 2.5.0b2 allows authenticated users with permission to create hosts or services to execute arbitrary JavaScript in the browsers of other users performing searches in the Unified Search feature...

CVE-2026-5152 Tenda CH22 createFileName formCreateFileName stack-based overflow

A vulnerability was detected in Tenda CH22 1.0.0.1. Impacted is the function formCreateFileName of the file /goform/createFileName. Performing a manipulation of the argument fileNameMit results in stack-based buffer overflow. The attack may be initiated remotely. The exploit is now public and may...

CVE-2025-15381

A flaw was found in mlflow/mlflow. When the basic-auth application is enabled, tracing and assessment endpoints lack proper permission validation. This allows any authenticated user, even those without specific permissions on an experiment, to read sensitive trace information and create...

SUSE-SU-2026:20986-1 Security update for postgresql13

This update for postgresql13 fixes the following issues: Security fixes: - CVE-2025-12817: Fixed missing check for CREATE privileges on the schema in CREATE STATISTICS allowed table owners to create statistics in any schema, potentially leading to unexpected naming conflicts bsc1253332 -...