47684 matches found
CVE-2026-25896
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot . in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow...
CVE-2026-25896
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot . in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow...
CVE-2026-25896 fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot . in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow...
CVE-2026-25896 fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot . in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow...
CVE-2026-25896
CVE-2026-25896 affects the Node.js XML parser fast-xml-parser. From 4.1.3 up to (but not including) 5.3.5, a dot in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing shadowing of built-in entities and bypassing encoding, which can lead to XSS when parsed out...
CVE-2026-26192
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.7.0, aanually modifying chat history allows setting the html property within document metadata. This causes the frontend to enter a code path that treats document contents as HTML...
CVE-2018-13276
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2018. Notes: none...
CVE-2018-13272
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2018. Notes: none...
GHSA-9JMQ-XGJM-P8C2 Sync-in Server has a stored cross-site scripting (XSS) vulnerability
A Stored Cross-Site Scripting XSS vulnerability in Sync-in Server before 1.9.3 allows an authenticated attacker to execute arbitrary JavaScript in a victim's browser. By uploading a crafted SVG file containing a malicious payload, an attacker can access and exfiltrate sensitive information,...
fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names
Entity encoding bypass via regex injection in DOCTYPE entity names Summary A dot . in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities , , &, ", ' with arbitrary values. This bypasses entity encoding and leads to...
CVE-2026-27115 ADB Explorer is Vulnerable to Arbitrary Directory Deletion via Command-Line Argument
ADB Explorer is a fluent UI for ADB on Windows. Versions 0.9.26020 and below have an unvalidated command-line argument that allows any user to trigger recursive deletion of arbitrary directories on the Windows filesystem. ADB Explorer accepts an optional path argument to set a custom data...
CVE-2025-67438
A Stored Cross-Site Scripting XSS vulnerability in Sync-in Server before 1.9.3 allows an authenticated attacker to execute arbitrary JavaScript in a victim's browser. By uploading a crafted SVG file containing a malicious payload, an attacker can access and exfiltrate sensitive information,...
CVE-2025-67438
A Stored Cross-Site Scripting XSS vulnerability in Sync-in Server before 1.9.3 allows an authenticated attacker to execute arbitrary JavaScript in a victim's browser. By uploading a crafted SVG file containing a malicious payload, an attacker can access and exfiltrate sensitive information,...
February Linux Patch Wednesday
FebruaryLinux Patch Wednesday. In February, Linux vendors addressed 632 vulnerabilities - 1.5ร fewer than in January, including 305 in the Linux Kernel. Two vulnerabilities show signs of in-the-wild exploitation: ๐ป RCE - Chromium CVE-2026-2441 ๐ป InfDisc - MongoDB "MongoBleed" CVE-2025-14847 Publi...
CVE-2025-53217 WordPress AIO WP Builder Plugin <= 2.0.2 - Broken Access Control Vulnerability
Missing Authorization vulnerability in staviravn AIO WP Builder all-in-one-wp-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AIO WP Builder: from n/a through = 2.0.2...
CVE-2025-53217 WordPress AIO WP Builder Plugin <= 2.0.2 - Broken Access Control Vulnerability
Missing Authorization vulnerability in staviravn AIO WP Builder all-in-one-wp-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AIO WP Builder: from n/a through = 2.0.2...
CVE-2025-53217
The CVE-2025-53217 entry concerns the WordPress plugin AIO WP Builder (staviravn all-in-one-wp-builder) with versions up to and including 2.0.2, where a Missing Authorization vulnerability allows exploitation of incorrectly configured access control. The root cause is broken access control in the...
Inside the Fix: Analysis of In-the-Wild Exploit of CVE-2026-21513
Read how PatchDiff-AI uncovered the root cause of CVE-2026-21513 โ an actively exploited MSHTML vulnerability โ and how APT28 leveraged it in real-world attacks...
MINI-32FX-4RQJ-FG3X
Bulletin has no description...
MINI-RCV9-RG56-6CHH
Bulletin has no description...