58889 matches found
CVE-2026-40873 mailcow: dockerized vulnerable to stored XSS in Quarantine attachment filenames
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the Quarantine details modal injects attachment filenames into HTML without escaping, allowing arbitrary HTML/JS execution. An attacker can deliver an email with a crafted attachment name s...
CVE-2026-41456 Bludit CMS Reflected XSS via Search Plugin
Bludit CMS prior to commit 6732dde contains a reflected cross-site scripting vulnerability in the search plugin that allows unauthenticated attackers to inject arbitrary JavaScript by crafting a malicious search query. Attackers can execute malicious scripts in the browsers of users who visit...
CVE-2026-41456
CVE-2026-41456 affects Bludit CMS prior to commit 6732dde, where a reflected XSS in the search plugin allows unauthenticated attackers to inject arbitrary JavaScript by crafting a malicious search query. When users visit a crafted URL, attackers can execute scripts in their browsers, potentially ...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the /index.php/Speciaal:GefacetteerdZoeken parameter. An attacker can execute arbitrary JavaScript in a victim's browser by crafting a malicious URL and tricking the user into visiting it, potentially leadin...
CVE-2026-35451
Twenty is an open source CRM. Prior to 1.20.6, a Stored Cross-Site Scripting XSS vulnerability exists in the BlockNote editor component. Due to a lack of protocol validation in the FileBlock component and insufficient server-side inspection of block content, an attacker can inject a javascript: U...
CVE-2026-35451 Twenty: Stored XSS via BlockNote FileBlock
Twenty is an open source CRM. Prior to 1.20.6, a Stored Cross-Site Scripting XSS vulnerability exists in the BlockNote editor component. Due to a lack of protocol validation in the FileBlock component and insufficient server-side inspection of block content, an attacker can inject a javascript: U...
EUVD-2026-24161
Twenty is an open source CRM. Prior to 1.20.6, a Stored Cross-Site Scripting XSS vulnerability exists in the BlockNote editor component. Due to a lack of protocol validation in the FileBlock component and insufficient server-side inspection of block content, an attacker can inject a javascript: U...
CVE-2026-35451
Twenty is an open source CRM. Prior to 1.20.6, a Stored Cross-Site Scripting XSS vulnerability exists in the BlockNote editor component. Due to a lack of protocol validation in the FileBlock component and insufficient server-side inspection of block content, an attacker can inject a javascript: U...
CVE-2026-35451
CVE-2026-35451 affects the Twenty open source CRM, specifically the BlockNote editor. Before version 1.20.6 there is a Stored XSS in the FileBlock component: an attacker can inject a javascript: URI into the url property of a file block due to lack of protocol validation and insufficient server-s...
EUVD-2026-24120
Other issue in the JavaScript Engine component. This vulnerability was fixed in Firefox 150...
EUVD-2026-24099
Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150...
EUVD-2026-24095
Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, and Firefox ESR 140.10...
EUVD-2026-24098
Invalid pointer in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10...
CVE-2026-6779
Other issue in the JavaScript Engine component. This vulnerability was fixed in Firefox 150 and Thunderbird 150...
CVE-2026-6758
Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150 and Thunderbird 150...
CVE-2026-6754
Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10...
CVE-2026-6757
Invalid pointer in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10...
CVE-2026-6757
Invalid pointer in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10...
CVE-2026-6779
Other issue in the JavaScript Engine component. This vulnerability was fixed in Firefox 150 and Thunderbird 150...
UBUNTU-CVE-2026-6779
Other issue in the JavaScript Engine component. This vulnerability was fixed in Firefox 150 and Thunderbird 150...