GHSA-9P44-J4G5-CFX5 Trivy Action has a script injection via sourced env file in composite action

Command Injection in aquasecurity/trivy-action via Unsanitized Environment Variable Export A command injection vulnerability exists in aquasecurity/trivy-action due to improper handling of action inputs when exporting environment variables. The action writes export VAR= lines to trivyenvs.txt bas...

Infinite loop

Overview jsrsasign is a free pure JavaScript cryptographic library. Affected versions of this package are vulnerable to Infinite loop via the bnModInverse function in ext/jsbn2.js when the BigInteger.modInverse implementation receives zero or negative inputs, allowing an attacker to hang the...

Reliance on Untrusted Inputs in a Security Decision

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Reliance on Untrusted Inputs in a Security Decision via unsafe handling of the PATH environment variable. An authenticated attacker with access to an execution surface can execute arbitra...

NVIDIA Megatron Bridge 代码注入漏洞

NVIDIA Megatron Bridge is a component developed by NVIDIA Corporation in the United States that connects Hugging Face and Megatron-Core. NVIDIA Megatron Bridge has a code injection vulnerability. This vulnerability arises from malicious inputs in the data merging process, which may lead to code...

NVIDIA Megatron Bridge 代码注入漏洞

NVIDIA Megatron Bridge is a component developed by NVIDIA Corporation in the United States that connects Hugging Face and Megatron-Core. NVIDIA Megatron Bridge has a code injection vulnerability. This vulnerability arises from malicious inputs in the data shuffling tutorial, which may lead to cod...

PT-2026-20564

Command Injection in aquasecurity/trivy-action via Unsanitized Environment Variable Export A command injection vulnerability exists in aquasecurity/trivy-action due to improper handling of action inputs when exporting environment variables. The action writes export VAR= lines to trivy envs.txt...

PT-2026-23565

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.14 clawdbot versions prior to 2026.1.24-3 Description The software decodes base64-backed media inputs into buffers before enforcing decoded-size budget limits. Attackers can supply oversized base64 payloads,...

npm-serialize-javascript: Cross-site Scripting (XSS) in serialize-javascript

A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by...

CVE-2019-25387

Smoothwall Express 3.1-SP4-polar-x86_64-update9 is affected by a reflected cross-site scripting vulnerability in xtaccess.cgi. An unauthenticated attacker can inject JavaScript by sending crafted input to the xtaccess.cgi endpoint via POST, exploiting the EXT, DEST_PORT, or COMMENT parameters to ...

Smoothwall Express 跨站脚本漏洞

Smoothwall Express is Smoothwall open source a GNU/Linux-based firewall operating system . Smoothwall Express suffers from a cross-site scripting vulnerability that originates from the interfaces.cgi script to GREENADDRESS, GREENNETMASK, REDDHCPHOSTNAME, REDADDRESS, DNS1OVERRIDE, DNS2 OVERRIDE,...

PT-2026-8370

Smoothwall Express 3.1-SP4-polar-x86 64-update9 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted input to the xtaccess.cgi endpoint. Attackers can inject script payloads through the EXT, DEST PORT, or...

WordPress plugin Best-wp-google-map 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

Linux kernel 安全漏洞

The Linux kernel is the core of the open-source operating system Linux, developed by the Linux Foundation in the United States. There is a security vulnerability in the Linux kernel, which stems from the drmgemchangehandleioctl function not verifying user-space inputs, potentially triggering a...

CVE-2026-26226 beautiful-mermaid < 0.1.3 SVG Attribute Injection

beautiful-mermaid versions prior to 0.1.3 contain an SVG attribute injection issue that can lead to cross-site scripting XSS when rendering attacker-controlled Mermaid diagrams. User-controlled values from Mermaid style and classDef directives are interpolated into SVG attribute values without...

CVE-2026-26226 beautiful-mermaid < 0.1.3 SVG Attribute Injection

beautiful-mermaid versions prior to 0.1.3 contain an SVG attribute injection issue that can lead to cross-site scripting XSS when rendering attacker-controlled Mermaid diagrams. User-controlled values from Mermaid style and classDef directives are interpolated into SVG attribute values without...

CVE-2025-69873

A flaw was found in ajv. When the $data option is enabled, the value of the pattern keyword is passed directly to the JavaScript RegExp constructor without sufficient validation. An attacker able to supply a malicious regular expression pattern can trigger a ReDoS Regular Expression Denial of...

InternetSoft FTP Navigator 安全漏洞

InternetSoft FTP Navigator is an FTP client software developed by InternetSoft Corporation. Version 8.03 of InternetSoft FTP Navigator contains a security vulnerability, which stems from a buffer overflow issue in custom command inputs, potentially leading to the application crashing...

SUSE SLES15 / openSUSE 15 Security Update : uriparser (SUSE-SU-2026:0444-1)

The remote SUSE Linux SLES15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2026:0444-1 advisory. - CVE-2025-67899: large input containing many commas can cause unbounded recursion and stack consumption bsc1255000. Tenable has extracted...

CVE-2026-21514

Reliance on untrusted inputs in a security decision in Microsoft Office Word allows an unauthorized attacker to bypass a security feature locally...

CVE-2026-1809

The HTML Tag Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attacker...