EUVD-2026-35061

Stored cross-site scripting in the URL dashboard widget in Checkmk 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 versions allows a user with dashboard editing permissions to store a URL with a dangerous URI scheme such as javascript: that executes scripts in other users' browsers when they view the...

CVE-2026-44198

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could still access the history report for the page, potentially resulting in disclosure of sensitive information. This vulnerability is fixed in 7.0.7...

CVE-2026-8080

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in misp allows Stored XSS. This issue affects MISP before 2.5.37. A stored cross-site scripting vulnerability exists in the template element attribute handling logic. The application accepted...

CVE-2026-42839

An authenticated ERPNext user with Item record edit permissions can persist arbitrary HTML/JavaScript in the itemname, description, or image fields of an Item and trigger unescaped rendering in the Point of Sale POS cart interface for every operator who adds that item to a transaction.This issue...

CVE-2026-9590

Improper access control in the permission validation component in Devolutions Server 2026.1.19 and earlier allows an authenticated user with entry edit privileges to modify asset information without the required permission...

CVE-2026-9590

Technical details beyond the description are not publicly provided in the supplied documents. No affected versions, exploit specifics, or remediation steps are confirmed here; monitor for updates from the vendor and standard advisories.

CVE-2026-47740

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Multiple Filament actions on the admin Order detail and Order shipments table were callable by an authenticated low-privilege user without the permission required to mutate orders. The order detail actions cancel, mark paid, mark...

CVE-2026-7374 Kubevirt: kubevirt virt-handler: privilege escalation and node compromise via symlink following vulnerability

A flaw was found in KubeVirt's virt-handler component. This vulnerability allows an authenticated OpenShift user with edit permissions in a single namespace to exploit improper symlink validation when connecting to virtual machine console sockets. By replacing the console socket with a symlink to...

EUVD-2026-31824

A flaw was found in KubeVirt's virt-handler component. This vulnerability allows an authenticated OpenShift user with edit permissions in a single namespace to exploit improper symlink validation when connecting to virtual machine console sockets. By replacing the console socket with a symlink to...

CVE-2026-9104 Draft List <= 2.6.3 - Authenticated (Author+) Stored Cross-Site Scripting via Draft Post Title

The Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Draft Post Title in all versions up to, and including, 2.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to...

CVE-2026-44198

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could still access the history report for the page, potentially resulting in disclosure of sensitive information. This vulnerability is fixed in 7.0.7...

Wagtail has improper permission handling when viewing page history

Impact A CMS user without the ability to edit a page could still access the history report for the page, potentially resulting in disclosure of sensitive information. Patches Patched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature release also incorporates this fix...

PT-2026-39233

Name of the Vulnerable Software and Affected Versions Wagtail versions prior to 7.0.7 Wagtail versions prior to 7.3.2 Wagtail versions prior to 7.4 Description A CMS user lacking page editing permissions can access the history report for a page, which may lead to the disclosure of sensitive...

Incorrect Authorization

Overview admidio/admidio is a free open source user management system for websites of organizations and groups. Affected versions of this package are vulnerable to Incorrect Authorization due to an inverted authorization check in the twofactorauthentication.php process. An attacker can remove...

Helpy 跨站脚本漏洞

Helpy is an open-source customer support application developed by the American company Helpy. This program includes features such as a knowledge base, community discussions, and email functionality. Version 2.8.0 of Helpy contains a cross-site scripting vulnerability. This vulnerability stems fro...

EUVD-2026-25917

An authenticated attacker with permission to edit document content can store crafted HTML/JavaScript in a Document embed editable and cause script execution when the published page is rendered. This issue affects pimcore: v12.3.3...

CVE-2026-5362 Pimcore Platform v12.3.3 - Stored XSS in Document Editable Embed rendering

An authenticated attacker with permission to edit document content can store crafted HTML/JavaScript in a Document embed editable and cause script execution when the published page is rendered. This issue affects pimcore: v12.3.3...

CVE-2026-5362

CVE-2026-5362 affects Pimcore Platform v12.3.3. An authenticated user with permission to edit document content can store crafted HTML/JavaScript in a Document embed editable, leading to script execution when the published page renders. Root cause: stored XSS in the Document embed rendering. Impac...

GHSA-J2G9-RPRV-HRHC Dolibarr user with permission to edit PHP content can bypass filtering to restrict dangerous PHP functions

In the Website module of Dolibarr ERP & CRM 22.0.4 and below, the application uses blacklist-based filtering to restrict dangerous PHP functions related to system command execution. An authenticated user with permission to edit PHP content can bypass this filtering, resulting in full remote code...

CVE-2026-31019

Summary: CVE-2026-31019 affects the Website module of Dolibarr ERP & CRM, version 22.0.4 and below. An authenticated user who can edit PHP content can bypass blacklist-based filtering of dangerous PHP functions and achieve full remote code execution, enabling arbitrary OS commands on the server. ...