1077 matches found
GHSA-98WM-CXPW-847P Invoice Ninja Denylist Bypass may Lead to Stored XSS via Invoice Line Items
Vulnerability Details Invoice line item descriptions in Invoice Ninja v5.13.0 bypass the XSS denylist filter, allowing stored XSS payloads to execute when invoices are rendered in the PDF preview or client portal. The line item description field was not passed through purify::clean before...
PT-2026-27631
Name of the Vulnerable Software and Affected Versions Invoice Ninja versions 5.13.0 through 5.13.3 Description Invoice Ninja allows for the execution of stored cross-site scripting XSS payloads through invoice line item descriptions in versions 5.13.0 through 5.13.3. The line item description fie...
PT-2026-27587
Name of the Vulnerable Software and Affected Versions iOS versions prior to 18.7.7 iPadOS versions prior to 18.7.7 macOS Sequoia versions prior to 15.7.5 macOS Sonoma versions prior to 14.8.5 macOS Tahoe versions prior to 26.4 visionOS versions prior to 26.4 watchOS versions prior to 26.4...
New Search Experience for Veeam Data Cloud for Microsoft 365
Purpose We are excited to announce the initial rollout of our new search feature, designed to significantly improve the speed and efficiency of your search experience. Below are the details and important limitations to be aware of during this phased rollout. What's New Faster Search Experience Ou...
Malicious code in pulse-scroll-triggered-list-items (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 5917623184677210f5a42bead660945379d7a3c1cabf055e011a2794a233d517 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Linux Distros Unpatched Vulnerability : CVE-2026-0602
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowe...
EUVD-2026-11397
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, track/item names from the Track Anything feature are stored from user input POST and later rendered in Dygraph charts titles/labels using innerHTML or equivalent without...
CVE-2026-0602
Removed by vendor...
EUVD-2026-10914
Sylius is Missing Authorization in API v2 Add Item Endpoint...
CVE-2026-31821
Sylius is an Open Source eCommerce Framework on Symfony. The POST /api/v2/shop/orders/tokenValue/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers' carts by knowing the cart tokenValue. An attacker who obtains a cart tokenValue...
CVE-2026-31821 Sylius is Missing Authorization in API v2 Add Item Endpoint
Sylius is an Open Source eCommerce Framework on Symfony. The POST /api/v2/shop/orders/tokenValue/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers' carts by knowing the cart tokenValue. An attacker who obtains a cart tokenValue...
Sylius 安全漏洞
Sylius is an open-source e-commerce platform developed by the Polish company Sylius, based on the Symfony framework. There is a security vulnerability in Sylius. This vulnerability stems from the lack of validation for ownership in the POST /api/v2/shop/orders/tokenValue/items endpoint. As a...
CVE-2026-3672
A vulnerability has been found in JeecgBoot up to 3.9.1. Affected is the function isExistSqlInjectKeyword of the file /jeecg-boot/sys/api/getDictItems. Such manipulation leads to sql injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used...
EUVD-2026-10189
A vulnerability has been found in JeecgBoot up to 3.9.1. Affected is the function isExistSqlInjectKeyword of the file /jeecg-boot/sys/api/getDictItems. Such manipulation leads to sql injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used...
CVE-2026-3672 JeecgBoot getDictItems isExistSqlInjectKeyword sql injection
A vulnerability has been found in JeecgBoot up to 3.9.1. Affected is the function isExistSqlInjectKeyword of the file /jeecg-boot/sys/api/getDictItems. Such manipulation leads to sql injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used...
CVE-2026-3672
A vulnerability has been found in JeecgBoot up to 3.9.1. Affected is the function isExistSqlInjectKeyword of the file /jeecg-boot/sys/api/getDictItems. Such manipulation leads to sql injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used...
CVE-2026-30843
Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 have a critical Insecure Direct Object Reference IDOR issue which could allow unauthorized users to modify custom fields across boards through its custom fields update endpoints, potentially leading to unauthorized data...
PT-2026-23883
Name of the Vulnerable Software and Affected Versions JeecgBoot versions up to 3.9.1 Description A flaw exists within JeecgBoot that allows for SQL injection. This issue is located in the isExistSqlInjectKeyword function within the /jeecg-boot/sys/api/getDictItems file. Successful exploitation...
BIT-DISCOURSE-2026-26265 Discourse has IDOR vulnerability in the directory items endpoint
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, an IDOR vulnerability in the directory items endpoint allows any user, including anonymous users, to retrieve private user field values for all users in the directory. The userfieldids parameter ...
CVE-2026-28354
ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 59, collection item operations are vulnerable to authorization flaws, allowing a normal authenticated user to modify another user’s collection items. This affects both add item /actions/addtocollection.php due to missi...