CVE-2026-24906 October CMS has Stored XSS in its Backend Editor Markup Classes

October is a Content Management System CMS and web platform. Versions prior to 3.7.14 and 4.1.10 contain a Stored Cross-Site Scripting XSS vulnerability in the Backend Editor Settings. The Markup Classes fields used for paragraph styles, inline styles, table styles, etc. did not sanitize input to...

CVE-2026-24906

October is a Content Management System CMS and web platform. Versions prior to 3.7.14 and 4.1.10 contain a Stored Cross-Site Scripting XSS vulnerability in the Backend Editor Settings. The Markup Classes fields used for paragraph styles, inline styles, table styles, etc. did not sanitize input to...

Malicious code in stacks-editor (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 15f50509d5d9110a7233db4ed683100cc33c07a09055d93d32ed8f057a34ae3f The package stacks-editor was found to contain malicious code. Source: ossf-package-analysis...

MAL-2026-2629 Malicious code in stacks-editor (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 15f50509d5d9110a7233db4ed683100cc33c07a09055d93d32ed8f057a34ae3f The package stacks-editor was found to contain malicious code. Source: ossf-package-analysis...

PT-2026-32911

A server-side information disclosure vulnerability was identified in the INI settings parser. PHP's parse ini string function supports $ syntax for environment variable interpolation. Attackers with Editor access could inject $APP KEY, $DB PASSWORD, or similar patterns into CMS page settings...

PT-2026-32726

A stored cross-site scripting XSS vulnerability was identified in the Backend Editor Settings. The Markup Classes fields used for paragraph styles, inline styles, table styles, etc. did not sanitize input to valid CSS class name characters. Malicious values were rendered unsanitized in Froala...

October 跨站脚本漏洞

October is an open-source content management system CMS and online platform developed by October. Versions prior to October 3.7.14 and 4.1.10 contained a cross-site scripting vulnerability. This vulnerability stemmed from improper handling of marker class field inputs in the backend editor...

[SECURITY] Fedora 44 Update: gthumb-3.12.10-7.fc44

gthumb is an application for viewing, editing, and organizing collections of images...

CVE-2026-39940

ChurchCRM is an open-source church management system. Prior to 7.0.0, it was possible in many places across the ChurchCRM application to create a link that, when visited by an authenticated user, would redirect them to any URL chosen by an attacker if they clicked 'Cancel' button on the page. For...

CVE-2026-39940 ChurchCRM has an Open Redirect via the ‘linkBack’ URL Parameter in DonatedItemEditor.php

ChurchCRM is an open-source church management system. Prior to 7.0.0, it was possible in many places across the ChurchCRM application to create a link that, when visited by an authenticated user, would redirect them to any URL chosen by an attacker if they clicked 'Cancel' button on the page. For...

CVE-2026-39940 ChurchCRM has an Open Redirect via the ‘linkBack’ URL Parameter in DonatedItemEditor.php

ChurchCRM is an open-source church management system. Prior to 7.0.0, it was possible in many places across the ChurchCRM application to create a link that, when visited by an authenticated user, would redirect them to any URL chosen by an attacker if they clicked 'Cancel' button on the page. For...

CVE-2026-39940

ChurchCRM prior to 7.0.0 exposes an open redirect via the linkBack URL parameter in DonatedItemEditor.php, allowing an authenticated user to be redirected to an attacker‑controlled URL when clicking Cancel. This affects versions before 7.0.0; the issue is fixed in 7.0.0. The CVSS metrics indicate...

Exploit for CVE-2025-66849

CVE-2025-66849 Ghost CMS Privilege Escalation PoC Summar...

CVE-2026-4150

A flaw was found in GIMP. A remote attacker can exploit this vulnerability by enticing a user to open a specially crafted PSD Photoshop Document file. This flaw is due to an integer overflow during the parsing of PSD files, which can lead to arbitrary code execution, allowing the attacker to run...

CVE-2026-4152

A flaw was found in GIMP. A remote attacker could exploit this by tricking a user into opening a specially crafted JP2 JPEG 2000 file. This flaw is due to a heap-based buffer overflow during JP2 file parsing, which allows for arbitrary code execution. Successful exploitation enables the attacker ...

Amazon Linux 2023 : vim-common, vim-data, vim-default-editor (ALAS2023-2026-1539)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1539 advisory. Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault SEGV exist in Vim's swap file recovery logic. Both are caused b...

EUVD-2026-21630

GIMP PSD File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a...

CVE-2026-4153

GIMP PSP File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page o...

CVE-2026-4152

GIMP JP2 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page o...

EUVD-2026-21633

GIMP JP2 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page o...