EUVD-2026-39603

A stored XSS vulnerabilities exists in the maintenance-acl-check.php and maintenance-banners-check.php tools of Revive Adserver 6.0.7. The issue was caused by entity names being displayed without proper escaping when inconsistencies were detected. Whether the XSS payload is executed when an...

CVE-2026-50742

CVE-2026-50742 describes a stored XSS in Revive Adserver 6.0.7, occurring in the maintenance tools, specifically in the files maintenance-acl-check.php and maintenance-banners-check.php . The root cause is that entity names are displayed without proper escaping when inconsistencies are detected, ...

Revive Adserver: Stored XSS in maintenance tools via unescaped entity names

A stored XSS vulnerability was discovered in the maintenance tools of Revive Adserver 6.0.7. The issue was caused by entity names being displayed without proper escaping when inconsistencies were detected in the maintenance-acl-check.php and maintenance-banners-check.php files...

CVE-2026-35218

Budibase is an open-source low-code platform. Prior to version 3.32.5, Budibase's Builder Command Palette renders entity names tables, views, queries, automations using Svelte's @html directive without any sanitization. An authenticated user with Builder access can create a table, automation, vie...

CVE-2026-35218 Budibase: Stored XSS via unsanitized entity names rendered with {@html} in Builder Command Palette

Budibase is an open-source low-code platform. Prior to version 3.32.5, Budibase's Builder Command Palette renders entity names tables, views, queries, automations using Svelte's @html directive without any sanitization. An authenticated user with Builder access can create a table, automation, vie...

CVE-2026-35218 Budibase: Stored XSS via unsanitized entity names rendered with {@html} in Builder Command Palette

Budibase is an open-source low-code platform. Prior to version 3.32.5, Budibase's Builder Command Palette renders entity names tables, views, queries, automations using Svelte's @html directive without any sanitization. An authenticated user with Builder access can create a table, automation, vie...

CVE-2026-35218

Budibase (open‑source low-code platform) prior to version 3.32.5 is affected by a Stored XSS in the Builder Command Palette. The vulnerability arises because entity names (tables, views, queries, automations) are rendered using Svelte’s {@html} without sanitization, allowing an authenticated Buil...

Budibase 跨站脚本漏洞

Budibase is an open-source platform developed by Budibase in the UK. It allows for the creation of internal applications, workflows, and management panels within minutes. Versions of Budibase prior to 3.32.5 contained a cross-site scripting vulnerability. This vulnerability stemmed from the use o...

Linux kernel 安全漏洞

The Linux kernel is the kernel used by the Linux operating system developed by the Linux Foundation in the United States. There is a security vulnerability in the Linux kernel, which stems from an unchecked allocation of entity names. This vulnerability may lead to null pointer dereferencing...

EUVD-2026-10918

Sylius Vulnerable to Authenticated Stored XSS...

Cross-site Scripting (XSS)

Overview sylius/sylius is a platform for PHP, based on Symfony framework. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the rendering of entity names within various frontend and admin panel components, such as breadcrumbs, taxon pickers, and autocomplete fields,...

CVE-2026-31823

Sylius is an Open Source eCommerce Framework on Symfony. An authenticated stored cross-site scripting XSS vulnerability exists in multiple places across the shop frontend and admin panel due to unsanitized entity names being rendered as raw HTML. Shop breadcrumbs shared/breadcrumbs.html.twig: The...

CVE-2026-31823

Sylius is an Open Source eCommerce Framework on Symfony. An authenticated stored cross-site scripting XSS vulnerability exists in multiple places across the shop frontend and admin panel due to unsanitized entity names being rendered as raw HTML. Shop breadcrumbs shared/breadcrumbs.html.twig: The...

CVE-2026-31823 Sylius has Authenticated Stored XSS

Sylius is an Open Source eCommerce Framework on Symfony. An authenticated stored cross-site scripting XSS vulnerability exists in multiple places across the shop frontend and admin panel due to unsanitized entity names being rendered as raw HTML. Shop breadcrumbs shared/breadcrumbs.html.twig: The...

CVE-2026-31823

Summary (CVE-2026-31823) Sylius (Symfony-based eCommerce framework) has an authenticated stored XSS vulnerability across multiple frontend and admin areas due to unsanitized entity names rendered as raw HTML. Specifically: Shop breadcrumbs (shared/breadcrumbs.html.twig) use the Twig |raw filter o...

CVE-2026-31823 Sylius has Authenticated Stored XSS

Sylius is an Open Source eCommerce Framework on Symfony. An authenticated stored cross-site scripting XSS vulnerability exists in multiple places across the shop frontend and admin panel due to unsanitized entity names being rendered as raw HTML. Shop breadcrumbs shared/breadcrumbs.html.twig: The...

CVE-2026-31823 Sylius has Authenticated Stored XSS

Sylius is an Open Source eCommerce Framework on Symfony. An authenticated stored cross-site scripting XSS vulnerability exists in multiple places across the shop frontend and admin panel due to unsanitized entity names being rendered as raw HTML. Shop breadcrumbs shared/breadcrumbs.html.twig: The...

Sylius 跨站脚本漏洞

Sylius is an open-source e-commerce platform developed by the Polish company Sylius, based on the Symfony framework. Sylius has a cross-site scripting vulnerability. This vulnerability arises from the fact that entity names are rendered as raw HTML at multiple locations in both the store frontend...

PT-2026-24477

Name of the Vulnerable Software and Affected Versions Sylius versions 1.9.12 through 2.2.3 Description Sylius, an Open Source eCommerce Framework on Symfony, contains an authenticated stored cross-site scripting XSS issue in multiple areas of the shop frontend and admin panel. This is due to...

CVE-2026-25896

CVE-2026-25896 affects the Node.js XML parser fast-xml-parser. From 4.1.3 up to (but not including) 5.3.5, a dot in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing shadowing of built-in entities and bypassing encoding, which can lead to XSS when parsed out...