GHSA-8WRQ-FV5F-PFP2 parisneo/lollms vulnerable to stored XSS in the social feature

A Stored Cross-Site Scripting XSS vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the createpost function within backend/routers/social/init.py, where user-provided content is directly assigned to the...

EUVD-2026-10479

The MetForm Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Quiz feature in all versions up to, and including, 3.9.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in...

CVE-2020-10974

An issue was discovered affecting a backup feature where a crafted POST request returns the current configuration of the device in cleartext, including the administrator password. No authentication is required. Affected devices: Wavlink WN575A3, Wavlink WN579G3, Wavlink WN531A6, Wavlink WN535G3,...

EUVD-2019-6577

Malware in sbrugna...

EUVD-2019-2740

Malware in sbrugna...

EUVD-2020-27957

Malware in sbrugna...

EUVD-2011-1373

Malware in sbrugna...

EUVD-2009-2949

Malware in sbrugna...

EUVD-2023-43101

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2016-3763

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - net/PacProxySelector.java in the Proxy Auto-Config PAC feature in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-07-01 do...

GLPI 安全漏洞

GLPI is a free asset and IT management software suite. A phishing attack vulnerability exists in GLPI versions 9.1.0 through 10.0.18, which stems from a planning feature that does not effectively filter malicious links sent by unauthenticated users. An attacker could use this vulnerability to...

CVE-2025-48001

Time-of-check time-of-use toctou race condition in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack...

CVE-2025-5309

The chat feature within Remote Support RS and Privileged Remote Access PRA is vulnerable to a Server-Side Template Injection vulnerability which can lead to remote code execution...

PT-2025-25569 · Unknown · Privileged Remote Access +1

Name of the Vulnerable Software and Affected Versions: BeyondTrust Remote Support versions affected versions not specified BeyondTrust Privileged Remote Access versions affected versions not specified Description: The chat feature within Remote Support and Privileged Remote Access is vulnerable t...

CVE-2025-26159

Laravel Starter 11.11.0 is vulnerable to Cross Site Scripting XSS in the tags feature. Any user with the ability of create or modify tags can inject malicious JavaScript code in the name field...

CVE-2025-27735 Windows Virtualization-Based Security (VBS) Security Feature Bypass Vulnerability

...

CVE-2024-50053 Stored XSS

Zohocorp ManageEngine ServiceDesk Plus versions below 14920 , ServiceDesk Plus MSP and SupportCentre Plus versions below 14910 are vulnerable to Stored XSS in the task feature...

CVE-2025-1635

CVE-2025-1635 affects Devolutions Remote Desktop Manager (Windows) versions 2024.3.29 and earlier. The hub data source export feature can expose a user’s authenticated session in the exported data due to a faulty business logic. This leads to potential information exposure with a CVSS v3.1 base s...

CVE-2024-5711

A stored Cross-Site Scripting XSS vulnerability exists in the stitionai/devika chat feature, allowing attackers to inject malicious payloads into the chat input. This vulnerability is due to the lack of input validation and sanitization on both the frontend and backend components of the...

GHSA-PMF4-V838-29HG Directus allows privilege escalation using Share feature

Summary When sharing an item, user can specify an arbitrary role. It allows user to use a higher-privileged role to see fields that otherwise the user should not be able to see. Details Specifying role on share should be available only for admins. The current flow has a security flaw. Each other...