Important: docker

Issue Overview: When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. CVE-2026-33811 When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a...

EUVD-2026-31022

The Anomify AI – Anomaly Detection and Alerting plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'anomifyapikey' parameter in versions up to and including 0.3.6. This is due to insufficient input sanitization and missing output escaping: the plugin applies sanitizetextfie...

WordPress plugin Gravity Forms 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

Cross-site Scripting (XSS)

Overview activesupport is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the @htmlunsafe flag used by the SafeBuffer% function. An attacker can inject scripts by providing...

CVE-2025-63693

CVE-2025-63693 affects DzzOffice 2.3.x. The vulnerability resides in the comment editing template (dzz/comment/template/edit_form.htm), which does not adequately escape user-controllable data across HTML and JavaScript contexts. This can allow low-privilege attackers to craft comment content or r...

EUVD-2024-47653

Malicious code in bioql PyPI...

EUVD-2024-33770

Malicious code in bioql PyPI...

EUVD-2024-32982

Malicious code in bioql PyPI...

EUVD-2021-31109

Malicious code in bioql PyPI...

USN-7648-1 php8.1, php8.3, php8.4 vulnerabilities

It was discovered that PHP incorrectly handled certain hostnames containing null characters. A remote attacker could possibly use this issue to bypass certain hostname validation checks. CVE-2025-1220 It was discovered that PHP incorrectly handled the pgsql and pdopgsql escaping functions. A remo...

CVE-2025-53658

CVE-2025-53658 affects Jenkins Applitools Eyes Plugin (versions 1.16.5 and earlier). The vulnerability is a stored XSS on the build page caused by not escaping the Applitools URL, exploitable by attackers with Item/Configure permission. The issue is confirmed across multiple sources (including Je...

CVE-2024-45299

alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5, the preloaded data as json is not escaped correctly, the administrator / event admin could break their own install by inserting non correctly escaped text. The...

CVE-2024-11685

The Kudos Donations – Easy donations and payments with Mollie plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg without appropriate escaping on the URL in all versions up to, and including, 3.2.9. This makes it possible for unauthenticated attacker...

CVE-2021-44263

Gurock TestRail before 7.2.4 mishandles HTML escaping...

WordPress plugin Podlove Podcast Publisher 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...

CVE-2025-24374

Twig is a PHP template engine. The vulnerability CVE-2025-24374 concerns missing output escaping for the left side of the null coalescing operator (??). The issue is fixed in Twig 3.19.0. Severity in CVSSv3.1 is MEDIUM (4.3), but the document notes no exploitation details. Connected sources (NVD/...

CVE-2024-11204

The CVE refers to WordPress plugin ForumWP (Forum & Discussion Board) with a Reflected Cross-Site Scripting vulnerability via the url parameter in all versions up to and including 2.1.2. Public details confirm the issue stems from insufficient input sanitization and output escaping, enabling unau...

golang: html/template: errors returned from MarshalJSON methods may break template escaping

A flaw was found in Go's html/template standard library package. If errors returned from MarshalJSON methods contain user-controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing subsequent actions to inject unexpected content into...

CVE-2024-3916 Swift Framework <= 2.7.31 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes

The Swift Framework plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several of the plugin's shortcodes in all versions up to, and including, 2.7.31 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticate...

CVE-2024-4383

CVE-2024-4383 affects the WordPress plugin Simple Membership. The vulnerability is a Stored Cross-Site Scripting via the plugin’s swpm_paypal_subscription_cancel_link shortcode in all versions up to and including 4.4.5, caused by insufficient input sanitization and output escaping on user-supplie...