Lucene search
K

6137 matches found

NVD
NVD
added 2026/06/17 1:20 p.m.7 views

CVE-2026-40721

Contributor Local File Inclusion in Element Pack Pro = 9.0.6 versions...

7.5CVSS0.004EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/17 9:50 a.m.28 views

CVE-2026-40721 WordPress Element Pack Pro plugin <= 9.0.6 - Local File Inclusion vulnerability

Contributor Local File Inclusion in Element Pack Pro = 9.0.6 versions...

7.5CVSS0.004EPSS
Exploits0References1
CVE
CVE
added 2026/06/17 9:50 a.m.17 views

CVE-2026-40721

CVE-2026-40721 affects WordPress Element Pack Pro plugin, &lt;= 9.0.6, with a Local File Inclusion vulnerability. The CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) yields a base score of 7.5 (HIGH). Exploitation is reported as network-based with high attack complexity and requires no user...

7.5CVSS5.2AI score0.004EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.11 views

PT-2026-50550

Name of the Vulnerable Software and Affected Versions CakePHP versions prior to 4.5.11 CakePHP versions 4.6.0 through 4.6.3 CakePHP versions 5.0.0 through 5.1.6 CakePHP versions 5.2.0 through 5.2.12 CakePHP versions 5.3.0 through 5.3.5 Description The getElementFileName function in the View class...

6.3CVSS5.9AI score0.00258EPSS
Exploits0References6
Tenable Nessus
Tenable Nessus
added 2026/06/17 12:0 a.m.5 views

Bosch Security Systems IP Cameras Uncontrolled Resource Consumption (CVE-2023-32229)

Due to an error in the software interface to the secure element chip on Bosch IP cameras of family CPP13 and CPP14, the chip can be permanently damaged when enabling the Stream security option signing of the video stream with option MD5, SHA-1 or SHA-256. This plugin only works with Tenable.ot...

6.5CVSS6.4AI score0.0059EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2026/06/17 12:0 a.m.7 views

Bosch Security Systems IP Cameras NXP Chip Side-Channel Key Extraction (CVE-2021-3011)

Several Bosch IP cameras are built on a hardware platform that uses an NXP SmartMX/P5x secure element affected by an electromagnetic-wave side-channel vulnerability. An attacker with extended physical access to the device could recover the ECDSA private key and clone the device. The issue resides...

4.2CVSS5.5AI score0.00196EPSS
Exploits1References2
OSV
OSV
added 2026/06/15 7:53 p.m.4 views

GHSA-R47G-FVHR-H676 DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM

INPLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM CWE: CWE-79 XSS — Improper Neutralization of Input During Web Page Generation via CWE-693 Protection Mechanism Failure — silent no-op when forceRemove is called on a parent-less node Summa...

6.1CVSS5.5AI score0.00042EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/15 7:53 p.m.14 views

DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM

INPLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM CWE: CWE-79 XSS — Improper Neutralization of Input During Web Page Generation via CWE-693 Protection Mechanism Failure — silent no-op when forceRemove is called on a parent-less node Summa...

5.4AI score0.00042EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/06/15 5:21 p.m.4 views

GHSA-GXX4-3XCV-F8QX @angular/platform-server: Missing `<noscript>` Raw-Text Serialization Escaping leads to Cross-Site Scripting (XSS) in Angular SSR

A Cross-Site Scripting XSS vulnerability exists in @angular/platform-server's DOM emulation dependency domino when serializing the content of elements. When rendering dynamic text content inside a element via template bindings such as value or textContent, the template engine expects the browser ...

8.6CVSS5.5AI score0.00228EPSS
Exploits0References4
Snyk
Snyk
added 2026/06/15 4:51 p.m.6 views

Cross-site Scripting (XSS)

Overview @angular/core is a package that lets you write client-side web applications as if you had a smarter browser. It also lets you use HTML as your template language and lets you extend HTML’s syntax to express your application’s components clearly and succinctly. Affected versions of this...

6.1CVSS5.8AI score0.00238EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/15 4:51 p.m.30 views

@angular/core: Angular Template and Dynamic Component Namespace Bypass leading to Cross-Site Scripting (XSS)

An issue in the @angular/core package allows bypassing script-execution restrictions during dynamic component creation. Specifically, the dynamic component instantiation mechanism createComponent failed to reject mounting components directly onto a or namespaced script element such as . This...

6.1CVSS6.1AI score0.00238EPSS
Exploits0References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/15 12:0 a.m.19 views

PT-2026-49247

Name of the Vulnerable Software and Affected Versions Angular versions prior to 22.0.1 Angular versions prior to 21.2.17 Angular versions prior to 20.3.25 Description Angular supports Hydration via provideClientHydration to optimize client-side bootstrap in Server-Side Rendered SSR environments...

8.6CVSS5.8AI score0.00179EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/15 12:0 a.m.11 views

PT-2026-49568

Name of the Vulnerable Software and Affected Versions Angular versions prior to 22.0.0-rc.2 Angular versions prior to 21.2.15 Angular versions prior to 20.3.22 Angular versions prior to 19.2.23 Description An issue in the @angular/core package allows bypassing script-execution restrictions during...

5.3CVSS6AI score0.00238EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/15 12:0 a.m.13 views

PT-2026-49559

If the HTML you give it contains a element, and inside that template there's an element with a shadow DOM attached to it, DOMPurify quietly skips over the shadow contents. Whatever the attacker put in there - an image with an onerror handler, a link with a javascript: URL, even a full script -...

5.1CVSS5.1AI score0.00038EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/13 2:34 a.m.30 views

CVE-2026-54228 Abrt: toctou race condition in abrt-dbus setelement allows arbitrary file writes to dump directories

A time-of-check time-of-use TOCTOU race condition was found in the abrt-dbus D-Bus service's SetElement method. Between dump directory creation and post-create event execution, any local user can call SetElement to write arbitrary text files into the root-owned dump directory, bypassing package...

7.8CVSS0.00103EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/12 8:39 p.m.31 views

CVE-2026-44990 Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`

ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Under the default configuration, versions of sanitize-html prior to 2.17.4 can turn attacker-controlled content inside a disallowed xmp element into live HTML or...

9.3CVSS0.0037EPSS
Exploits0References1
OSV
OSV
added 2026/06/11 1:26 p.m.7 views

GHSA-6VHH-4XW6-H2H2 Element Call reports full URLs of visited pages to analytics server

Impact Element Call versions 0.5.17 through 0.19.3 report analytics data to a PostHog server, when configured to by a posthog key in config.json or by the posthogApiHost and posthogApiKey URL parameters. Several fields of this data $initialpersoninfo, $sessionentryurl, and $currenturl were found ...

8.6CVSS5.5AI score0.00023EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/06/11 1:26 p.m.11 views

Element Call reports full URLs of visited pages to analytics server

Impact Element Call versions 0.5.17 through 0.19.3 report analytics data to a PostHog server, when configured to by a posthog key in config.json or by the posthogApiHost and posthogApiKey URL parameters. Several fields of this data $initialpersoninfo, $sessionentryurl, and $currenturl were found ...

5.5AI score0.00023EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/11 12:0 a.m.16 views

PT-2026-48666

Guzzle Services provides an implementation of the Guzzle Command library that uses Guzzle service descriptions to describe web services, serialize requests, and parse responses into easy to use model structures. Versions prior ro 1.5.4 do not safely serialize scalar XML element values containing...

5.8CVSS5.4AI score0.00219EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/11 12:0 a.m.15 views

PT-2026-48683

Impact Element Call versions 0.5.17 through 0.19.3 report analytics data to a PostHog server, when configured to by a posthog key in config.json or by the posthogApiHost and posthogApiKey URL parameters. Several fields of this data $initial person info, $session entry url, and $current url were...

8.6CVSS5.5AI score0.00023EPSS
Exploits0References4
Rows per page
Query Builder