258 matches found
Rukovoditel <= 3.2.1 - Cross Site Scripting
Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting XSS vulnerability in the Add New Field function at /index.php?module=entities/fields&entitiesid=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name...
RLSA-2026:37123 Important: podman security, bug fix, and enhancement update
The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use container pods. Container pods is a concept in Kubernetes. Security Fixes: golang.org/x/crypto/ssh: golang: golang.org/x/crypto/ssh: Denial of Service via crafted S...
RHEL 9 : podman (RHSA-2026:37123)
The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:37123 advisory. The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use...
CVE-2026-13989
Google Chrome is affected by CVE-2026-13989 due to an inappropriate implementation in PageInfo. Before version 150.0.7871.47, a remote attacker who had compromised a renderer process could trigger UI spoofing via a crafted HTML page. The core issue is in PageInfo; impact is limited to UI spoofing...
CVE-2026-13899
CVE-2026-13899 affects Google Chrome (Chromium) prior to 150.0.7871.47, with a use-after-free in HTML that allows a remote attacker to execute arbitrary code inside the sandbox via a crafted HTML page. Impact is rated high (C/H/I/A: High). The vulnerability is addressed by updating to Chrome 150....
CVE-2026-13899
Use after free in HTML in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: Medium...
Advanced Content Feedback (aka admin_feedback) - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-051
This module enables you to collect feedback from your site visitors on content pages, presenting Yes/No buttons and providing dashboards for administrators to review the responses. The module doesn't sufficiently sanitize several administrator-configured response messages the "Yes response", "No...
Security update for kubevirt
This update for kubevirt fixes the following issues: Update to version 1.7.4, fixes various go embedded security issues: CVE-2025-47911: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents bsc1251420. CVE-2025-47913: golang.org/x/crypto/ssh/agent: clien...
CVE-2026-46492 md-fileserver: Stored/Reflected XSS when viewing Markdown (raw HTML allowed)
md-fileserver allows for local viewing of markdown files in a browser. Prior to version 1.10.3, a cross-site scripting XSS vulnerability exists in the application’s Markdown rendering logic. When user-supplied Markdown content is rendered, embedded raw HTML—including tags—is processed and injecte...
CVE-2026-28445 Typebot: Stored XSS via Rating Block Custom Icon Bypasses isUnsafe Sandbox in Builder Preview
Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the RatingButton component in the embed package renders the user-controlled customIcon.svg field directly via Solid's innerHTML directive without any sanitization, even though DOMPurify is already a dependency and is used elsewhere ...
Improper Encoding or Escaping of Output
Overview sanitize-html is a library that allows you to clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the linkHref field handling. An...
NPM: Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`
NPM: Apostrophe has default XSS via xmp raw-text passthrough in sanitize-html vulnerability discovered by ? in WordPress Npm sanitize-html versions 2.17.3...
PT-2026-40445
Name of the Vulnerable Software and Affected Versions efw4.X versions prior to 4.08.010 Description The 'previewServlet' serves files using detected MIME types based on file extensions without applying security headers or content sanitization. Files with extensions such as .html, .htm, or .svg ar...
EUVD-2026-26495
A weakness has been identified in MacCMS Pro up to 2022.1.3. This vulnerability affects the function install of the file /admi.php/admin/addon/add.html of the component Plugin Installation Handler. Executing a manipulation can lead to unrestricted upload. The attack may be performed from remote...
openSUSE 16 Security Update : MozillaFirefox (openSUSE-SU-2026:20621-1)
The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20621-1 advisory. Update to Firefox Extended Support Release 140.10.0 ESR. - MFSA 2026-32 bsc1262230: CVE-2026-6746: Use-after-free in the DOM: Core & HTML...
EUVD-2026-25158
STIG Manager is an API and web client for managing Security Technical Implementation Guides STIG assessments of Information Systems. Versions 1.5.10 through 1.6.7 have a reflected Cross-Site Scripting XSS vulnerability in the OIDC authentication error handling code in src/init.js and...
Linux Distros Unpatched Vulnerability : CVE-2026-6316
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Use after free in Forms in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page...
Arbitrary Code Injection
Overview Affected versions of this package are vulnerable to Arbitrary Code Injection in the handling of table captions during the rendering process. An attacker can execute arbitrary code with the privileges of the desktop client by syncing a crafted note containing malicious HTML or JavaScript ...
Cross-site Scripting (XSS)
Overview @pdfme/schemas is a TypeScript base PDF generator and React base UI. Open source, developed by the community, and completely free to use under the MIT license! Affected versions of this package are vulnerable to Cross-site Scripting XSS in the multiVariableText property panel when...
CVE-2026-0902
Inappropriate implementation in V8 in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. Chromium security severity: Medium...