89542 matches found
SUSE CVE-2026-11701
Inappropriate implementation in Guest View in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to perform UI spoofing via a crafted HTML page. Chromium security severity: Medium...
python-vuln-scanner
Python Vulnerability Scanner !Pythonhttps://img.shields.io...
EUVD-2026-35887
An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Security filters. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10;...
CVE-2026-41003
An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Security filters. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10;...
PT-2026-48388
The Store Locator WordPress plugin before 1.6.6 does not sanitize and escape one of its settings before storing it and outputting it on the Store Locator WordPress plugin before 1.6.6 admin page, allowing high-privileged users such as administrators to perform Stored Cross-Site Scripting attacks...
PT-2026-48470
A stored cross-site scripting vulnerability existed in MISP BSimVis tag rendering code. Several client-side rendering paths interpolated tag names, collection names, entity identifiers, cluster names, and tag metadata directly into HTML, HTML attributes, inline JavaScript event handlers, and CSS...
EulerOS 2.0 SP13 : golang (EulerOS-SA-2026-2334)
According to the versions of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.CVE-2026-25679 Actions which insert URLs into the...
PT-2026-48393
The MW WP Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'memo' parameter in all versions up to, and including, 5.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access and above,...
PT-2026-48542
Overview Litestar instances which use a template engine in conjunction with CSRF protection are vulnerable to HTML Injection which can be escalated to Cross Site Scripting due to the contents of the CSRF cookie being excluded from automatic escaping by the template engine when configured inline...
Linux Distros Unpatched Vulnerability : CVE-2026-9549
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Stored cross-site scripting in the service discovery active check output in Checkmk 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 versions allows an administrator...
EulerOS 2.0 SP13 : golang (EulerOS-SA-2026-2291)
According to the versions of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.CVE-2026-25679 Actions which insert URLs into the...
PT-2026-48399
An HTML injection vulnerability in the "fetch links" email sent by Thinkst Applied Research Canarytokens, enabling Interface Manipulation, Cross-Site Scripting XSS in emails clients that render HTML emails. This issue affects Canarytokens: from Docker tag sha-c0f3cf142 before sha-08c3f93d, from G...
PT-2026-48439
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, wrap line app/modules/common/common.py:181-186 and highlight word app/modules/common/common.py:188-192 build raw HTML by string concatenation with no escaping. The frontend...
CVE-2026-46546 Frappe LMS: HTML injection in user-controlled metadata
Frappe Learning Management System LMS is a learning system that helps users structure their content. Prior to version 2.53.0, an authenticated user could supply specially crafted content in certain user-editable fields that, when surfaced in page metadata, caused visitors' browsers to navigate to...
CVE-2026-46546
Summary: CVE-2026-46546 affects Frappe LMS. Before v2.53.0, an authenticated user could insert crafted content in certain user-editable fields, which—when surfaced in page metadata—caused visitors’ browsers to navigate to an attacker-chosen URL. The issue has been patched in v2.53.0. Impact (as s...
CVE-2026-46546 Frappe LMS: HTML injection in user-controlled metadata
Frappe Learning Management System LMS is a learning system that helps users structure their content. Prior to version 2.53.0, an authenticated user could supply specially crafted content in certain user-editable fields that, when surfaced in page metadata, caused visitors' browsers to navigate to...
CVE-2026-41003 Unencoded HTML Outputs in Spring Security May Allow Cross-Site Scripting
An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Security filters. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10;...
CVE-2026-41003 Unencoded HTML Outputs in Spring Security May Allow Cross-Site Scripting
An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Security filters. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10;...
CVE-2026-25557
Evoluted PHP Directory Listing Script through 4.0.5 contains a reflected cross-site scripting vulnerability in index.php where the dir parameter value is reflected without HTML encoding inside the HTML title element and inside anchor href attributes in the breadcrumb navigation. Attackers can...
CVE-2026-25557 Evoluted PHP Directory Listing Script 4.0.5 Reflected XSS via dir parameter
Evoluted PHP Directory Listing Script through 4.0.5 contains a reflected cross-site scripting vulnerability in index.php where the dir parameter value is reflected without HTML encoding inside the HTML title element and inside anchor href attributes in the breadcrumb navigation. Attackers can...