358 matches found
Astra Linux - уязвимость в firefox, thunderbird
An attacker could cause a select dropdown menu to be displayed over another tab; this could lead to user confusion and potential spoofing attacks. This vulnerability affects Firefox 133, Firefox ESR 128.5, Thunderbird 133, and Thunderbird 128.5...
firefox: thunderbird: Select list elements could be shown over another site
A flaw was found in Mozilla. The Mozilla Foundation's Security Advisory describes the following issue: An attacker could cause a select dropdown to be shown over another tab; this could have led to user confusion and possible spoofing attacks...
Astra Linux - уязвимость в firefox, thunderbird
A website could have obscured the fullscreen notification by using a dropdown select input element. This could have caused user confusion and potentially led to spoofing attacks. This vulnerability affects Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8...
Malicious code in @bmg-web/bmg-dropdown (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ba8b2c9cb8ff59d283200d129e3ad62a7f469072326443114ebadcda2da4f894 The package @bmg-web/bmg-dropdown was found to contain malicious code. Source: ossf-package-analysis...
MAL-2026-2986 Malicious code in @bmg-web/bmg-dropdown (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ba8b2c9cb8ff59d283200d129e3ad62a7f469072326443114ebadcda2da4f894 The package @bmg-web/bmg-dropdown was found to contain malicious code. Source: ossf-package-analysis...
CVE-2026-23489
Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to version 1.23.3, it is possible to execute arbitrary PHP code from users that are allowed to create dropdowns. This issue has been patched in version 1.23.3...
CVE-2026-32890 Anchorr: Stored XSS in User Mapping dropdown allows unprivileged Discord users to exfiltrate all secrets via /api/config
Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. In versions 1.4.1 and below, a stored Cross-site Scripting XSS vulnerability in the web dashboard's User Mapping dropdown allows any unprivileged Discord user in the...
CVE-2026-32890 Anchorr: Stored XSS in User Mapping dropdown allows unprivileged Discord users to exfiltrate all secrets via /api/config
Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. In versions 1.4.1 and below, a stored Cross-site Scripting XSS vulnerability in the web dashboard's User Mapping dropdown allows any unprivileged Discord user in the...
PT-2026-26545
Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. In versions 1.4.1 and below, a stored Cross-site Scripting XSS vulnerability in the web dashboard's User Mapping dropdown allows any unprivileged Discord user in the...
Malicious code in @emerald-react/dropdown (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b6123af9a9aaf14730582221f6fa6a266c56c772a01f82e3e4812aea90b691f1 The package @emerald-react/dropdown was found to contain malicious code...
MAL-2026-1608 Malicious code in @emerald-react/dropdown (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b6123af9a9aaf14730582221f6fa6a266c56c772a01f82e3e4812aea90b691f1 The package @emerald-react/dropdown was found to contain malicious code...
CVE-2026-26001 GLPI Inventory Plugin has SQL Injection on dropdown_calendar Report
The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Prior to 1.6.6, non sanitized user input can lend to an SQL injection from reports, with adequate rights. This vulnerability is fixed in 1.6.6...
CVE-2026-26001 GLPI Inventory Plugin has SQL Injection on dropdown_calendar Report
The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Prior to 1.6.6, non sanitized user input can lend to an SQL injection from reports, with adequate rights. This vulnerability is fixed in 1.6.6...
CVE-2026-26001 GLPI Inventory Plugin has SQL Injection on dropdown_calendar Report
The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Prior to 1.6.6, non sanitized user input can lend to an SQL injection from reports, with adequate rights. This vulnerability is fixed in 1.6.6...
CVE-2026-23489
CVE-2026-23489 affects the GLPI plugin Fields . Prior to version 1.23.3, it allows arbitrary PHP code execution by users who can create dropdowns, via the dropdown generation process. The issue has been fixed in version 1.23.3 . Exploitation details are not provided in the available documents; no...
EUVD-2026-12456
Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to version 1.23.3, it is possible to execute arbitrary PHP code from users that are allowed to create dropdowns. This issue has been patched in version 1.23.3...
CVE-2026-30843
Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 have a critical Insecure Direct Object Reference IDOR issue which could allow unauthorized users to modify custom fields across boards through its custom fields update endpoints, potentially leading to unauthorized data...
VulnCheck KEV: CVE-2024-3495
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' parameters in versions up to, and including, 2.7.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes i...
WordPress GeoDataSource Country Region DropDown plugin <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zakaria in WordPress Plugin GeoDataSource Country Region DropDown versions = 1.0.1...
CVE-2026-23724
WeGIA is a web manager for charitable institutions. Prior to 3.6.2, a Stored Cross-Site Scripting XSS vulnerability was identified in the html/atendido/cadastroocorrencia.php endpoint of the WeGIA application. The application does not sanitize user-controlled data before rendering it inside the...