EUVD-2026-35639

Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting XSS vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser...

CVE-2026-41259

Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and performs basic validation on e-mail addresses, but fails to restrict characters that are interpreted...

CVE-2026-41259

Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and performs basic validation on e-mail addresses, but fails to restrict characters that are interpreted...

CVE-2026-39667

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Jongmyoung Kim Korea SNS korea-sns allows DOM-Based XSS.This issue affects Korea SNS: from n/a through = 1.7.0...

EUVD-2026-19279

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, a reflected DOM-based XSS vulnerability in taillog.js allows an unauthenticated attacker to inject arbitrary HTML into the Pi-hole admin interface...

HTTPS Fetch, DNS TXT Record Payload Download and Execution

Fetch and execute an x86 payload from an HTTPS server. Performs a TXT query against a series of DNS records and executes the returned x86 shellcode. The DNSZONE option is used as the base name to iterate over. The payload will first request the TXT contents of the a hostname, followed by b, then ...

PT-2026-29727

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Mark O’Donnell MSTW League Manager allows DOM-Based XSS.This issue affects MSTW League Manager: from n/a through 2.10...

CVE-2026-0396

A flaw was found in dnsdist. A remote attacker could exploit this vulnerability by sending specially crafted DNS queries to a dnsdist instance where domain-based dynamic rules have been enabled. This could allow the attacker to inject malicious HTML content into the internal web dashboard,...

CVE-2026-0396

CVE-2026-0396 affects dnsdist, a DNS load balancer. The issue arises when domain-based dynamic rules are enabled (DynBlockRulesGroup:setSuffixMatchRule / setSuffixMatchRuleFFI), allowing crafted DNS queries to cause HTML content injection into the internal web dashboard. Associated advisories con...

CVE-2025-62043

Improper neutralization of input during web page generation 'cross-site scripting' vulnerability in WPSight WPCasa allows DOM-Based XSS.This issue affects WPCasa: from n/a through 1.4.1...

CVE-2026-32361

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Marketing Fire Editorial Calendar editorial-calendar allows DOM-Based XSS.This issue affects Editorial Calendar: from n/a through = 3.9.0...

GHSA-4CM8-XPFV-JV6F ZeptoClaw: Email Sender Spoofing to bypass Header-Only From Allowlist Validation

Summary The email channel authorizes senders based on the parsed From header identity only. If upstream email authentication/enforcement is weak for example, relaxed SPF/DKIM/DMARC handling, an attacker can spoof an allowlisted sender address and have the message treated as trusted input. Details...

CVE-2025-69368

CVE-2025-69368 is a DOM-based XSS in GT3themes SOHO – Photography WordPress Theme (soho) up to version 3.0.3, caused by improper input neutralization during web page generation. Public sources (NVD/Red Hat/CVE listing) describe the vulnerability as cross-site scripting with DOM-based execution an...

CVE-2025-68538

CVE-2025-68538 affects ThemeGoods Craft craftcoffee (WordPress Theme Craft) with a DOM-Based XSS in the web page generation path due to improper input neutralization. Affected versions are

CVE-2023-49186 WordPress Machic Core plugin <= 1.2.6 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in KlbTheme Machic Core allows DOM-Based XSS.This issue affects Machic Core: from n/a through 1.2.6...

CVE-2025-68991

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in xenioushk BWL Pro Voting Manager bwl-pro-voting-manager allows DOM-Based XSS.This issue affects BWL Pro Voting Manager: from n/a through = 1.4.9...

CVE-2025-64538

Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting XSS vulnerability that could lead to arbitrary code execution. An attacker could exploit this vulnerability by injecting malicious scripts into a web page that are executed in the context of the...

CVE-2025-64583

Adobe Experience Manager 6.5.23 and earlier is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability (CWE-79) that could allow a low-privileged attacker to run malicious scripts in a victim’s browser after user interaction. The issue is gated by user interaction (e.g., visiting a craft...

CVE-2025-63046

CVE-2025-63046 : DOM-based XSS in the WordPress ListingPro plugin (

CVE-2025-61084

MDaemon Mail Server 23.5.2 validates SPF, DKIM, and DMARC using the email enclosed in angle brackets in the From: header of SMTP DATA. An attacker can craft a From: header with multiple invisible Unicode thin spaces to display a spoofed sender while passing validation, allowing email spoofing eve...