CVE-2026-40911 WWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaScript Execution via Client-Side eval() Sinks

WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies to every connected client without sanitizing the msg or callback fields. On the client side, plugin/YPTSocket/script.js contains two eval...

CVE-2026-22232

OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript in the "A or SIC Number" field within the Project Setup functionality. The JavaScript is executed whenever another user views the project. Fixed in OPEXUS eCASE Audit 11.14.2.0...

Updated redis packages fix security vulnerabilities

A Lua script may lead to remote code execution. CVE-2025-49844 A Lua script may lead to integer overflow and potential RCE. CVE-2025-46817 A Lua script can be executed in the context of another user. CVE-2025-46818 LUA out-of-bound read. CVE-2025-46819...

SUSE SLES15 / openSUSE 15 Security Update : redis (SUSE-SU-2025:03505-1)

The remote SUSE Linux SLES15 / SLESSAP15 / openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:03505-1 advisory. - CVE-2025-49844: Malicious Lua scripts may lead to remote code execution. bsc1250995 - CVE-2025-46817: Malicious Lu...

Security update for redis7

This update for redis7 fixes the following issues: CVE-2025-49844: Malicious Lua scripts may lead to remote code execution. bsc1250995 CVE-2025-46817: Malicious Lua scripts may lead to integer overflow and potential remote code execution. bsc1250995 CVE-2025-46818: Malicious Lua scripts can be...

Security update for valkey

This update for valkey to version 8.0.6 fixes the following issues: CVE-2025-49844: Malicious Lua scripts may lead to remote code execution. bsc1250995 CVE-2025-46817: Malicious Lua scripts may lead to integer overflow and potential remote code execution. bsc1250995 CVE-2025-46818: Malicious Lua...

CVE-2025-61998

OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to inject JavaScript or other content as a URL within the Technical Support Hyperlink Manager. Injected content is executed in the context of other users when they click the malicious link. Successful exploitation allows the...

CVE-2025-61999

OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to upload JavaScript or other content embedded in an SVG image used as a logo. Injected content is executed in the context of other users when they view affected pages. Successful exploitation allows the administrative user to perfo...

CVE-2025-61996 OPEXUS FOIAXpress stored XSS via annual report template

OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to inject JavaScript or other content within the Annual Report Template. Injected content is executed in the context of other users when they generate an Annual Report. Successful exploitation allows the administrative user to perfo...

PT-2025-41201

Name of the Vulnerable Software and Affected Versions OPEXUS FOIAXpress versions prior to 11.13.3.0 Description An administrative user can upload JavaScript or other content embedded within an SVG image used as a logo. This injected content is executed when other users view affected pages...

PT-2025-39190

Name of the Vulnerable Software and Affected Versions DNN formerly DotNetNuke versions prior to 10.1.0 Description DNN formerly DotNetNuke is an open-source web content management platform. Prior to version 10.1.0, the Biography field allowed injection of javascript code, even when not configured...

DEBIAN-CVE-2024-48936

SchedMD Slurm before 24.05.4 has Incorrect Authorization. A mistake in authentication handling in stepmgr could permit an attacker to execute processes under other users' jobs. This is limited to jobs explicitly running with --stepmgr, or on systems that have globally enabled stepmgr via...

PT-2024-33282 · Schedmd · Slurm

Name of the Vulnerable Software and Affected Versions: SchedMD Slurm versions prior to 24.05.4 Description: A mistake in authentication handling in stepmgr could permit an attacker to execute processes under other users' jobs. This issue is limited to jobs explicitly running with --stepmgr, or on...