PT-2026-43403

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the component override system transpiles user-supplied TSX via Sucrase and evaluates it with new Function, shadowing dangerous globals fetch, window, eval, etc. with undefined. A static source validator...

GI-DocGen vulnerable to Reflected XSS via unescaped query strings

A flaw was found in GI-DocGen. This vulnerability allows arbitrary JavaScript execution in the context of the page — enabling DOM access, session cookie theft and other client-side attacks — via a crafted URL that supplies a malicious value to the q GET parameter reflected DOM XSS...

UBUNTU-CVE-2025-11687

A flaw was found in the gi-docgen. This vulnerability allows arbitrary JavaScript execution in the context of the page — enabling DOM access, session cookie theft and other client-side attacks — via a crafted URL that supplies a malicious value to the q GET parameter reflected DOM XSS...

EUVD-2025-206336

A flaw was found in the gi-docgen. This vulnerability allows arbitrary JavaScript execution in the context of the page — enabling DOM access, session cookie theft and other client-side attacks — via a crafted URL that supplies a malicious value to the q GET parameter reflected DOM XSS...

PT-2025-52429

A stored cross-site scripting XSS vulnerability exists in pdfonline.foxit.com within the Predefined Text feature of the Foxit eSign section. A crafted payload can be stored via the Identity “First Name” field, which is later rendered into the DOM without proper sanitization. As a result, the...

CVE-2025-11844

Hugging Face Smolagents version 1.20.0 contains an XPath injection vulnerability in the searchitemctrlf function located in src/smolagents/visionwebbrowser.py. The function constructs an XPath query by directly concatenating user-supplied input into the XPath expression without proper sanitizatio...

CVE-2025-11844

Hugging Face Smolagents 1.20.0 has an XPath injection in search_item_ctrl_f (vision_web_browser.py) where user input is concatenated into XPath queries without sanitization, allowing attackers to modify query logic, bypass filters, and access unintended DOM elements, potentially disrupting AI web...

EUVD-2007-1092

Malware in sbrugna...

EUVD-2025-30451

Malicious code in bioql PyPI...

Password-stealing Chrome extension smuggled on to Web Store

Researchers at the University of Wisconsin-Madison have demonstrated that Chrome browser extensions can steal passwords from the text input fields in websites, even if the extension is compliant with Chrome's latest security and privacy standard, Manifest V3. To prove it, they created a proof of...

Node.js third-party modules: [uppy] Stored XSS due to crafted SVG file

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Module: Uppy. Affected version: 0.22.2...

PT-2014-5449 · Cloudbees +1 · Jenkins

Name of the Vulnerable Software and Affected Versions: Jenkins versions prior to 1.583 Jenkins LTS versions prior to 1.565.3 Description: The issue allows remote authenticated users with the Job/READ permission to obtain the default value for the password field of a parameterized job by reading t...

MS IE 5/6 OBJECT Tag Same Origin Policy Violation Vulnerability

No description provided by source. source: http://www.securityfocus.com/bid/5196/info Microsoft Internet Explorer allows script code to violate the same origin policy through usage of the HTML OBJECT tag. Malicious script code may obtain a legitimate reference to an embedded object containing a w...

Sun HotJava Browser 3 Arbitrary DOM Access Vulnerability

No description provided by source. source: http://www.securityfocus.com/bid/1837/info A malicious website operator may be able to obtain cookies from a target system browsing with Sun HotJava Browser. The Document Object Model DOM of arbitrary URLs can be accessed if a specially formed javascript...

XSS using addEventListener and setTimeout on a wrapped object — Mozilla

Mozilla security researcher mozbugra4 reports that by using an appropriately wrapped object it was possible to bypass the fix for MFSA 2007-19. Prior to Firefox 3.6 this gives an attacker the ability to perform cross-site scripting attacks against arbitrary sites as in the original MFSA 2007-19...

CVE-2000-0958

CVE-2000-0958 concerns HotJava Browser 3.0, where remote attackers can access the DOM of a web page by opening a javascript: URL in a named window. The available documents identify the affected product and the basic interaction (javascript: URLs and window naming) but do not provide deeper root-c...

Sun HotJava Browser 3 - Arbitrary DOM Access

Sun HotJava Browser 3 - Arbitrary DOM Access source: https://www.securityfocus.com/bid/1837/info A malicious website operator may be able to obtain cookies from a target system browsing with Sun HotJava Browser. The Document Object Model DOM of arbitrary URLs can be accessed if a specially formed...

IE5.5 window.externalNavigateAndFind security vulnerability....

Multiple security vulnerabilities found in window.external.NavigateAndFind function in IE5.5... After the most recent patches applied the vulnerabilities seem to persist.. Actually there is no current issues discussed at microsft website... Microsoft has been notified about the problem via email...