CVE-2026-4665 WP Carousel Free <= 2.7.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'data-caption' Attribute

The WP Carousel Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via crafted fancybox data-caption attributes in all versions up to, and including, 2.7.10. This is due to the fancybox-config.js script reading the carousel container's id attribute directly from the DOM to...

Exploit for Cross-site Scripting in Jquery

No d...

Security Bulletin: Multiple Vulnerabilities in Hyper-Converged Database

Summary Multiple vulnerabilities were addressed in Hyper-Converged Database version 1.2.5 Vulnerability Details CVEID:CVE-2024-56433 DESCRIPTION: shadow-utils aka shadow 4.4 through 4.17.0 establishes a default /etc/subuid behavior e.g., uid 100000 through 165535 for the first user account that c...

DRUPAL-CORE-2026-001

Drupal core's jQuery integration for AJAX modal dialog boxes does not sufficiently sanitize certain options, which which can lead to a cross-site scripting XSS vulnerability...

PT-2026-33240

Name of the Vulnerable Software and Affected Versions Drupal versions prior to 10.5.9 Drupal versions prior to 10.6.7 Drupal versions prior to 11.2.11 Drupal versions prior to 11.3.7 Description Drupal core's jQuery integration for AJAX modal dialog boxes does not sufficiently sanitize certain...

Drupal core - Critical - Cross-site scripting - SA-CORE-2026-001

Drupal core's jQuery integration for AJAX modal dialog boxes does not sufficiently sanitize certain options, which which can lead to a cross-site scripting XSS vulnerability...

Security Bulletin: Vulnerabilities in Jetty, Eclipse Jetty,Spring Cloud Netflix Zuul,Spring Framework,Spring Security,NPM package,glob-parent package,jQuery,Braces, go-redis,qs,LZ4,js-yaml might affect IBM Storage Defender Copy Data Management

Summary IBM Storage Defender Copy Data Management can be affected by vulnerabilities in Jetty, Eclipse Jetty, Spring Cloud Netflix Zuul , Spring Framework, Spring Security, NPM package, glob-parent package, jQuery, Braces, go-redis, qs, LZ4 and js-yaml. Vulnerabilities include , bypassing the...

production_ssm 安全漏洞

productionssm is an ERP system developed by MegaGao’s individual developers, utilizing technologies such as Spring+SpringMVC+Mybatis, along with jQuery EasyUI. Version 1.0 of productionssm contains a security vulnerability. This vulnerability stems from the authorization bypass that occurs when...

AVideo: DOM XSS via Unsanitized Display Name in WebSocket Call Notification

Summary The AVideo YPTSocket plugin's caller feature renders incoming call notifications using the jQuery Toast Plugin, passing the caller's display name directly as the heading parameter. The toast plugin constructs the heading as raw HTML '' + heading + '' and inserts it into the DOM via jQuery...

CVE-2026-34716 AVideo: DOM XSS via Unsanitized Display Name in WebSocket Call Notification

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo YPTSocket plugin's caller feature renders incoming call notifications using the jQuery Toast Plugin, passing the caller's display name directly as the heading parameter. The toast plugin constructs the heading as...

CVE-2026-34716 AVideo: DOM XSS via Unsanitized Display Name in WebSocket Call Notification

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo YPTSocket plugin's caller feature renders incoming call notifications using the jQuery Toast Plugin, passing the caller's display name directly as the heading parameter. The toast plugin constructs the heading as...

VulnCheck KEV: CVE-2025-54726

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Miguel Useche JS Archive List jquery-archive-list-widget allows SQL Injection.This issue affects JS Archive List: from n/a through 6.1.6...

Security Bulletin: Multiple Vulnerabilities in IBM API Connect

Summary Multiple vulnerabilities were addressed in IBM API Connect version v12.1.0.2 Vulnerability Details CVEID:CVE-2012-6708 DESCRIPTION: jQuery before 1.9.0 is vulnerable to Cross-site Scripting XSS attacks. The jQuerystrInput function does not differentiate selectors from HTML in a reliable...

EUVD-2026-15870

Deserialization of Untrusted Data vulnerability in Miguel Useche JS Archive List jquery-archive-list-widget allows Object Injection.This issue affects JS Archive List: from n/a through = 6.1.7...

CVE-2019-25579

CVE-2019-25579 affects phpTransformer 2016.9. The vulnerability is a directory traversal in the jQueryFileUploadmaster endpoint: an unauthenticated attacker can manipulate the path parameter to access arbitrary files outside the intended directory by using traversal sequences (../../../../../../)...

CVE-2019-25579 phpTransformer 2016.9 Directory Traversal via jQueryFileUpload

phpTransformer 2016.9 contains a directory traversal vulnerability that allows unauthenticated attackers to access arbitrary files by manipulating the path parameter. Attackers can send requests to the jQueryFileUploadmaster server endpoint with traversal sequences ../../../../../../ to list and...

CVE-2019-25579 phpTransformer 2016.9 Directory Traversal via jQueryFileUpload

phpTransformer 2016.9 contains a directory traversal vulnerability that allows unauthenticated attackers to access arbitrary files by manipulating the path parameter. Attackers can send requests to the jQueryFileUploadmaster server endpoint with traversal sequences ../../../../../../ to list and...

PT-2026-26927

phpTransformer 2016.9 contains a directory traversal vulnerability that allows unauthenticated attackers to access arbitrary files by manipulating the path parameter. Attackers can send requests to the jQueryFileUploadmaster server endpoint with traversal sequences ../../../../../../ to list and...

CVE-2026-32119 OpenEMR has Stored DOM XSS via SearchHighlight text-node reconstruction on Custom Report page

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, DOM-based stored XSS in the jQuery SearchHighlight plugin library/js/SearchHighlight.js allows an authenticated user with encounter form write access to inject arbitrary...

ruby4.0-rubygem-jquery-rails-4.6.0-1.9 on GA media (moderate)

ruby4.0-rubygem-jquery-rails-4.6.0-1.9 on GA media Announcement ID: openSUSE-SU-2026:10350-1 Rating: moderate Cross-References: CVE-2015-1840 Affected Products: openSUSE Tumbleweed An update that solves one vulnerability can now be installed. Description: These are all security issues fixed in th...