PT-2025-47596

Name of the Vulnerable Software and Affected Versions SOPlanning versions prior to 1.55 Description SOPlanning is susceptible to a Stored Cross-Site Scripting XSS issue within the /taches endpoint. An attacker with medium privileges can inject arbitrary HTML and JavaScript code into the website...

TencentOS Server 3: go-toolset (TSSA-2023:0116)

The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2023:0116 advisory. Package updates are available for TencentOS Server 3 that fix the following vulnerabilities...

Security Bulletin: Eventlet Pre-0.40.3 HTTP Trailer Parsing Flaw Enables HTTP Request Smuggling

Summary Eventlet is a concurrent networking library for Python. Prior to version 0.40.3, the Eventlet WSGI parser is vulnerable to HTTP Request Smuggling due to improper handling of HTTP trailer sections. This vulnerability could enable attackers to, bypass front-end security controls, launch...

EUVD-2025-198147

A improper neutralization of script-related html tags in a web page basic xss vulnerability in Fortinet FortiADC 8.0.0, FortiADC 7.6.0 through 7.6.3, FortiADC 7.4 all versions, FortiADC 7.2 all versions may allow attacker to execute unauthorized code or commands via crafted URL...

Google Chrome Code Problem Vulnerability (CNVD-2025-29240)

Google Chrome is a web browser developed by Google. A security vulnerability exists in Google Chrome versions prior to 136.0.7103.59, which stems from a flaw in the security handling of the sandboxing mechanism. The vulnerability can be exploited by an attacker to achieve a sandbox escape via a...

EUVD-2025-197890

Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Chromium security severity: High...

CVE-2025-13229

CVE-2025-13229 is a type confusion in V8 affecting Google Chrome before 142.0.7444.59. The vulnerability allows a remote attacker to potentially trigger heap corruption via a crafted HTML page, with a high severity (CVSS v3.1: 8.8, AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). Affected product/stack: Goo...

CVE-2025-13224

CVE-2025-13224 is a Type Confusion in V8 affecting Google Chrome prior to 142.0.7444.175, leading to potential heap corruption via a crafted HTML page. The issue affects Chrome’s V8 and was addressed in the 142.0.7444.175+ stable channel releases (Windows/macOS/Linux). Debian/Alpine security advi...

CVE-2025-13224

Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Chromium security severity: High...

CVE-2025-63748

QaTraq 6.9.2 allows authenticated users to upload arbitrary files via the "Add Attachment" feature in the "Test Script" module. The application fails to restrict file types, enabling the upload of executable PHP files. Once uploaded, the file can be accessed through the "View Attachment" option,...

CLSA-2025-1763374645 varnish: Fix of 2 CVEs

CVE-2024-30156: fix HTTP/2 flow control vulnerability allowing window credit exhaustion Broke Window Attack causing potential denial of service - CVE-2025-47905: fix client-side request smuggling via malformed HTTP/1 chunked requests...

EUVD-2021-34720

ReQuest Serious Play F3 Media Server versions 7.0.3.4968 Pro, 7.0.2.4954, 6.5.2.4954, 6.4.2.4681, 6.3.2.4203, and 2.0.1.823 contain a remote denial-of-service vulnerability. The device can be shut down or rebooted by an unauthenticated attacker through a single crafted HTTP GET request, allowing...

RGW DoS attack with empty HTTP header in S3 object copy

...

DEBIAN-CVE-2024-7017

Inappropriate implementation in DevTools in Google Chrome prior to 126.0.6478.182 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. Chromium security severity: High...

CVE-2024-11919

CVE-2024-11919 concerns Google Chrome for Android, where an inappropriate implementation in Intents could let a remote attacker perform UI spoofing via a crafted HTML page. The issue affects Chrome on Android prior to version 129.0.6668.58 . The connected Red Hat/Ubuntu/Debian and other CVE feeds...

CVE-2025-64744 OpenObserve Vulnerable to HTML Injection in Organization Invitation Emails

OpenObserve is a cloud-native observability platform. In versions up to and including 0.16.1, when creating or renaming an organization with HTML in the name, the markup is rendered inside the invitation email. This indicates that user-controlled input is inserted into the email template without...

CVE-2025-20355 Cisco Catalyst Center Software HTTP Open Redirect Vulnerability

A vulnerability in the web-based management interface of Cisco Catalyst Center Virtual Appliance could allow an unauthenticated, remote attacker to redirect a user to a malicious web page. This vulnerability is due to improper input validation of HTTP request parameters. An attacker could exploit...

firefox: thunderbird: Mitigation bypass in the DOM: Core & HTML component

A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: Mitigation bypass in the DOM: Core & HTML component...

CVE-2025-64711 PrivateBin vulnerable to malicious filename use for self-XSS / HTML injection locally for users

PrivateBin is an online pastebin where the server has zero knowledge of pasted data. Starting in version 1.7.7 and prior to version 2.0.3, dragging a file whose filename contains HTML is reflected verbatim into the page via the drag-and-drop helper, so any user who drops a crafted file on...

Siemens SIMATIC S7-1500 Double Free (CVE-2022-42915)

curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTPS URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request HTTP...