Lucene search
+L

595 matches found

Cvelist
Cvelist
added 2026/07/01 7:53 a.m.41 views

CVE-2026-10096 Qi Blocks <= 1.4.9 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Style Modification via 'page_id' Parameter

The Qi Blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.4.9 via the 'pageid' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, t...

4.3CVSS0.00196EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/06/08 2:59 p.m.11 views

CVE-2026-41159

A flaw was found in Mermaid, a JavaScript tool for creating diagrams and charts. A remote attacker could exploit this vulnerability by injecting malicious Cascading Style Sheets CSS through specific configuration options, such as fontFamily, themeCSS, and altFontFamily. This injected CSS can bypa...

5.4CVSS6.1AI score0.00398EPSS
Exploits0References7
NVD
NVD
added 2026/05/29 3:16 p.m.13 views

CVE-2026-41159

Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Prior to 10.9.6 and 11.15.0, Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the fontFamily, themeCSS, and altFontFamily configuration...

5.3CVSS0.00398EPSS
Exploits0References5
UbuntuCve
UbuntuCve
added 2026/05/29 3:16 p.m.17 views

CVE-2026-41159

Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Prior to 10.9.6 and 11.15.0, Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the fontFamily, themeCSS, and altFontFamily configuration...

5.3CVSS5.8AI score0.00398EPSS
Exploits0References7
EUVD
EUVD
added 2026/05/29 1:53 p.m.13 views

EUVD-2026-33324

Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Prior to 10.9.6 and 11.15.0, Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the fontFamily, themeCSS, and altFontFamily configuration...

5.3CVSS5.8AI score0.00398EPSS
Exploits0References4
CVE
CVE
added 2026/05/29 1:53 p.m.51 views

CVE-2026-41159

Mermaid (mermaid-js) contains a CSS injection vulnerability (CVE-2026-41159) affecting prior releases. Before fixes in v10.9.6 and v11.15.0, its default config allows injecting CSS via fontFamily, themeCSS, and altFontFamily. The injected CSS exploits stylis’s scope handling, where :not(&) escape...

5.3CVSS5.8AI score0.00398EPSS
Exploits0References5Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/29 1:53 p.m.8 views

CVE-2026-41159

Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Prior to 10.9.6 and 11.15.0, Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the fontFamily, themeCSS, and altFontFamily configuration...

5.3CVSS5.8AI score0.00398EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/05/11 7:37 p.m.5 views

GHSA-87F9-HVMW-GH4P Mermaid: Improper sanitization of configuration leads to CSS injection

Impact Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the fontFamily, themeCSS, and altFontFamily configuration options. Live demo: mermaid.live Example code: %%init: "fontFamily": "x;ab :not&background:green !important cd"%% flowchart LR A --...

5.3CVSS5.8AI score0.00398EPSS
Exploits0References8
OSV
OSV
added 2026/05/11 7:36 p.m.10 views

GHSA-XCJ9-5M2H-648R Mermaid: Improper sanitization of `classDefs` in diagrams leads to CSS injection

Details The state diagram and any other diagram type that routes user-controlled style strings through createCssStyles parser for Mermaid v11.14.0 and earlier captures classDef values with an unrestricted regex: jison // packages/mermaid/src/diagrams/state/parser/stateDiagram.jison:83 ^\n...

5.3CVSS5.8AI score0.00338EPSS
Exploits0References8
Malwarebytes
Malwarebytes
added 2026/05/08 12:0 p.m.13 views

ShinyHunters escalates Canvas attacks with school login defacements

Days after confirming a major data breach, Instructure is now facing a second blow. Earlier this week, Instructure confirmed a major data breach affecting its cloud‑hosted Canvas environment, with the ShinyHunters group claiming it stole hundreds of millions of records tied to thousands of school...

5.8AI score
Exploits0
Krebs on Security
Krebs on Security
added 2026/05/08 2:58 a.m.11 views

Canvas Breach Disrupts Schools & Colleges Nationwide

An ongoing data extortion attack targeting the widely-used education technology platform Canvas disrupted classes and coursework at school districts and universities across the United States today, after a cybercrime group defaced the service's login page with a ransom demand that threatened to...

5.7AI score
Exploits0
HackRead
HackRead
added 2026/05/07 11:55 p.m.34 views

ShinyHunters Defaces Canvas LMS Portal, Hundreds of Universities Affected

ShinyHunters hackers defaced the official Canvas LMS portal after breaching Instructure systems, disrupting university access worldwide...

5.8AI score
Exploits0
Rapid7 Blog
Rapid7 Blog
added 2026/04/21 2:38 p.m.17 views

Kyber Ransomware Double Trouble: Windows and ESXi Attacks Explained

Overview For executive leadership, the emergence of Kyber ransomware represents a significant and immediate threat due to its specialized, dual-platform deployment capability targeting mission-critical virtualization infrastructure VMware ESXi and core Windows file systems. This cross-platform...

6.1AI score
Exploits0
EUVD
EUVD
added 2026/04/06 5:20 p.m.8 views

EUVD-2026-19390

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, Tandoor Recipes allows authenticated users to inject arbitrary tags into recipe step instructions. The bleach.clean sanitizer explicitly whitelists the tag, causing the backend to...

5.4CVSS6.1AI score0.00173EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2026/03/31 5:18 p.m.4 views

CVE-2026-0396

A flaw was found in dnsdist. A remote attacker could exploit this vulnerability by sending specially crafted DNS queries to a dnsdist instance where domain-based dynamic rules have been enabled. This could allow the attacker to inject malicious HTML content into the internal web dashboard,...

3.1CVSS5.9AI score0.00136EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/03/26 3:3 p.m.5 views

CVE-2026-29100

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. SuiteCRM 7.15.0 contains a reflected HTML injection vulnerability in the login page that allows attackers to inject arbitrary HTML content, enabling phishing attacks and page defacement. Versio...

7.1CVSS5.9AI score0.00164EPSS
Exploits0References1
NVD
NVD
added 2026/03/19 11:16 p.m.4 views

CVE-2026-29100

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. SuiteCRM 7.15.0 contains a reflected HTML injection vulnerability in the login page that allows attackers to inject arbitrary HTML content, enabling phishing attacks and page defacement. Versio...

7.1CVSS0.00164EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/03/19 10:48 p.m.1 views

CVE-2026-29100

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. SuiteCRM 7.15.0 contains a reflected HTML injection vulnerability in the login page that allows attackers to inject arbitrary HTML content, enabling phishing attacks and page defacement. Versio...

7.1CVSS5.9AI score0.00164EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/19 10:48 p.m.3 views

CVE-2026-29100 SuiteCRM has Reflected HTML Injection in Login Page via default_user_name Parameter

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. SuiteCRM 7.15.0 contains a reflected HTML injection vulnerability in the login page that allows attackers to inject arbitrary HTML content, enabling phishing attacks and page defacement. Versio...

7.1CVSS5.9AI score0.00164EPSS
Exploits0References1
CVE
CVE
added 2026/03/19 10:48 p.m.12 views

CVE-2026-29100

Summary: CVE-2026-29100 affects SuiteCRM. The vulnerability is a reflected HTML injection on the login page, enabling an attacker to inject arbitrary HTML content (e.g., phishing content or page defacement). The issue is associated with SuiteCRM version 7.15.0 and is fixed in 7.15.1. What’s affec...

7.1CVSS5.9AI score0.00164EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder