CVE-2026-10738 jQuery Hover Footnotes <= 1.4 - Authenticated (Author+) Stored Cross-Site Scripting via Footnote Qualifier ('{{...}}' Syntax)

The jQuery Hover Footnotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Footnote Qualifier '...' Syntax in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

EUVD-2026-33256

An SQL injection vulnerability exists in Mautic's API contact filtering mechanism. Due to insufficient recursive sanitization of nested query parameters, an authenticated API user can bypass input filtering and inject arbitrary SQL commands...

CVE-2026-9495

Versions of the package @koa/router from 14.0.0 and before 15.0.0 are vulnerable to Access Control Bypass due to the middleware being silently dropped from the execution chain when the router prefix contains path parameters. Depending on what the skipped middleware was supposed to protect, an...

GHSA-F5P7-2C9Q-8896 phpMyFAQ has Stored XSS in FAQ Question/Answer via Encode-Decode Bypass of removeAttributes() Sanitization

Summary The FAQ creation and update endpoints in phpMyFAQ apply FILTERSANITIZESPECIALCHARS which HTML-encodes input, then immediately call htmlentitydecode which reverses the encoding, followed by Filter::removeAttributes which only strips HTML attributes — not tags. This allows , , , and tags to...

Security Bulletin: IBM Edge Data Collector uses bootstrap-table-1.18.1.min.js, bootstrap-table-1.18.2.min.js, bootstrap-table-export-1.18.2.min.js which are vulnerable to CVE-2022-1726, CVE-2021-23472.

Summary IBM Edge Data Collector uses bootstrap-table-1.18.1.min.js, bootstrap-table-1.18.2.min.js, bootstrap-table-export-1.18.2.min.js which are vulnerable to CVE-2022-1726, CVE-2021-23472. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details...

EUVD-2026-3608

GetSimple CMS My SMTP Contact Plugin 1.1.2 suffers from a Stored Cross-Site Scripting XSS vulnerability. The plugin attempts to sanitize user input using htmlspecialchars, but this can be bypassed by passing dangerous characters as escaped hex bytes. This allows attackers to inject arbitrary...

CVE-2026-1008

A stored cross-site scripting XSS vulnerability exists in the user profile text fields of Altium 365. Insufficient server-side input sanitization allows authenticated users to inject arbitrary HTML and JavaScript payloads using whitespace-based attribute parsing bypass techniques. The injected...

CVE-2025-14719

The Relevanssi WordPress plugin before 4.26.0, Relevanssi Premium WordPress plugin before 2.29.0 do not sanitize and escape a parameter before using it in a SQL statement, allowing contributor and above roles to perform SQL injection attacks...

Linux Distros Unpatched Vulnerability : CVE-2019-20041

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - wpksesbadprotocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity, allowing attackers to bypass input sanitization, as...

Linux Distros Unpatched Vulnerability : CVE-2020-10693

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via comments contents in any page of the web interface. An attacker can execute arbitrary JavaScript in the browser of any user viewing the manipulated comment by injecting obfuscated payloads that bypass input...

Type confusion

This affects versions before 1.19.1 of package bootstrap-table. A type confusion vulnerability can lead to a bypass of input sanitization when the input provided to the escapeHTML function is an array instead of a string even if the escape attribute is set...

CVE-2021-23447 Cross-site Scripting (XSS)

This affects the package teddy before 0.5.9. A type confusion vulnerability can be used to bypass input sanitization when the model content is an array instead of a string...

Cross-site Scripting (XSS)

Overview bootstrap-table is an extended table to integration with some of the most widely used CSS frameworks. Supports Bootstrap, Semantic UI, Bulma, Material Design, Foundation, Vue.js. Affected versions of this package are vulnerable to Cross-site Scripting XSS. A type confusion vulnerability...

Cross-site Scripting (XSS)

Overview teddy is a The most readable and easy to learn templating language there is! Affected versions of this package are vulnerable to Cross-site Scripting XSS. A type confusion vulnerability can be used to bypass input sanitization when the model content is an array instead of a string. PoC...

hibernate-validator: Improper input validation in the interpolation of constraint error messages

A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation escaping, stripping controls that developers may have put in place...