HCL AION Information Disclosure Vulnerability (CNVD-2026-16403)

HCL AION is an AI lifecycle management platform from HCL India. HCL AION suffers from an information disclosure vulnerability that stems from the password field not disabling autocomplete, which can be exploited by an attacker to cause sensitive credentials to be stored or disclosed...

Microcom ZeusWeb 安全漏洞

Microcom ZeusWeb is a remote monitoring platform developed by the Spanish company Microcom. Version 6.1.31 of Microcom ZeusWeb contains a security vulnerability. This vulnerability stems from the injection of XSS payloads into the Name and Surname parameters within the My Account section, which m...

Top Password Dialup Password Recovery 安全漏洞

Top Password Dialup Password Recovery is a password recovery tool developed by Top Password Inc. Version 1.30 of Top Password Dialup Password Recovery has a security vulnerability; this vulnerability stems from a buffer overflow in the input fields, which could lead to a denial-of-service attack...

CVE-2025-12699

The ZOLL ePCR IOS application reflects unsanitized user input into a WebView. Attacker-controlled strings placed into PCR fields run number, incident, call sign, notes are interpreted as HTML/JS when the app prints or renders that content. In the proof of concept POC, injected scripts return loca...

CVE-2026-2268

The Ninja Forms plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.14.0. This is due to the unsafe application of the ninjaformsmergetags filter to user-supplied input within repeater fields, which allows the resolution of postmeta:KEY mer...

CVE-2026-2268

The CVE-2026-2268 entry concerns Ninja Forms for WordPress (

CVE-2026-2268 Ninja Forms <= 3.14.0 - Unauthenticated Information Disclosure in nf_ajax_submit AJAX Action

The Ninja Forms plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.14.0. This is due to the unsafe application of the ninjaformsmergetags filter to user-supplied input within repeater fields, which allows the resolution of postmeta:KEY mer...

PT-2026-7469

Name of the Vulnerable Software and Affected Versions ZOLL ePCR IOS application affected versions not specified Description The application displays user-supplied data within a WebView without proper sanitization. Specifically, attacker-controlled strings entered into PCR fields such as run numbe...

Siemens S7-1500 Incorrect Type Conversion or Cast (CVE-2025-40022)

In the Linux kernel, the following vulnerability has been resolved: crypto: afalg - Fix incorrect boolean values in afalgctx Commit 1b34cbbf4f01 crypto: afalg - Disallow concurrent writes in afalgsendmsg changed some fields from bool to 1-bit bitfields of type u32. However, some assignments to...

PT-2026-7248

The Ninja Forms plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.14.0. This is due to the unsafe application of the ninja forms merge tags filter to user-supplied input within repeater fields, which allows the resolution of post meta:KEY...

Unity Linux 20.1050a / 20.1060a / 20.1070a Security Update: pcs (UTSA-2026-005314)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-005314 advisory. Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, Rack::Multipart::Parser stores non-file form fields parts without a...

Cross-site Scripting (XSS)

craftcms/commerce is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper sanitization of the Shipping Zone name and description fields in the Store Management section, which allows an attacker to inject and execute malicious JavaScript in an administrator’s browser via th...

GHSA-7JX7-3846-M7W7 Craft CMS Vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior

Relationship to Previously Patched Vulnerability This vulnerability is in addition to the RCE vulnerability patched in GHSA-255j-qw47-wjh5. That advisory addressed a similar RCE vulnerability that affected two specific routes: - /index.php?p=admin%2Factions%2Ffields%2Fapply-layout-element-setting...

Craft CMS Vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior

Relationship to Previously Patched Vulnerability This vulnerability is in addition to the RCE vulnerability patched in GHSA-255j-qw47-wjh5. That advisory addressed a similar RCE vulnerability that affected two specific routes: - /index.php?p=admin%2Factions%2Ffields%2Fapply-layout-element-setting...

CVE-2026-2159

A flaw has been found in SourceCodester Simple Responsive Tourism Website 1.0. Affected is an unknown function of the file /tourism/classes/Master.php?f=register of the component Registration. Executing a manipulation of the argument firstname/lastname/username can lead to cross site scripting. I...

CVE-2026-22904 Stack Overflow via Oversized Cookie Fields in lighttpd

Improper length handling when parsing multiple cookie fields including TRACKID allows an unauthenticated remote attacker to send oversized cookie values and trigger a stack buffer overflow, resulting in a denial‑of‑service condition and possible remote code execution...

CVE-2026-22904

CVE-2026-22904 affects lighttpd, where improper length handling when parsing multiple cookie fields (including TRACKID) allows an unauthenticated remote attacker to send oversized cookie values and trigger a stack buffer overflow. This can result in a denial-of-service condition and potentially r...

WordPress User Extra Fields plugin <= 16.8 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin User Extra Fields versions = 16.8...

CVE-2025-66605

CVE-2025-66605 affects Yokogawa FAST/TOOLS, specifically the components/packages RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB, in versions R9.01–R10.04. The public descriptions indicate a client-side issue where input fields with the autocomplete attribute enabled may cause entered data to be saved in t...

CVE-2025-66605

A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation. Since there are input fields on this webpage with the autocomplete attribute enabled, the input content could be saved in the browser the user is using. The affected products and versions are as follows:...