Nocobase 安全漏洞

Nocobase is an open-source low-code platform developed by NocoBase. Versions of Nocobase 2.0.23 and earlier contained security vulnerabilities. These vulnerabilities were caused by improper use of the createSafeConsole function in the...

PT-2026-32377

Nitro PDF Pro for Windows 14.41.1.4 contains a heap use-after-free vulnerability in the implementation of the JavaScript method this.mailDoc. During execution, an internal XID object is allocated and then freed prematurely, after which the freed pointer is still passed into UI and logging helper...

CVE-2025-69624

Nitro PDF Pro for Windows 14.41.1.4 contains a NULL pointer dereference vulnerability in the JavaScript implementation of app.alert. When app.alert is called with more than one argument and the first argument evaluates to null for example, app.alertapp.activeDocs, true when app.activeDocs is null...

PT-2026-32416

GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that, in customizable analytics dashboards, could have allowed an authenticated user to execute arbitrary JavaScript in the context of other users' browsers due...

CVE-2025-69627

Nitro PDF Pro for Windows 14.41.1.4 contains a heap use-after-free vulnerability in the implementation of the JavaScript method this.mailDoc. During execution, an internal XID object is allocated and then freed prematurely, after which the freed pointer is still passed into UI and logging helper...

Amazon Linux 2023 : nodejs24, nodejs24-devel, nodejs24-full-i18n (ALAS2023-2026-1578)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1578 advisory. A flaw in Node.js HTTP request handling causes an uncaught TypeError when a request is received with a header named proto and the application accesses req.headersDistinct. When this occurs,...

PT-2026-32376

Nitro PDF Pro for Windows 14.41.1.4 contains a NULL pointer dereference vulnerability in the JavaScript implementation of app.alert. When app.alert is called with more than one argument and the first argument evaluates to null for example, app.alertapp.activeDocs, true when app.activeDocs is null...

PT-2026-32532

A security flaw has been discovered in nocobase plugin-workflow-javascript up to 2.0.23. This issue affects the function createSafeConsole of the file packages/plugins/@nocobase/plugin-workflow-javascript/src/server/Vm.js. Performing a manipulation results in sandbox issue. The attack can be...

RHEL 8 : firefox (RHSA-2026:7842)

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2026:7842 advisory. Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. Security Fixes: firefox:...

RHEL 9 : firefox (RHSA-2026:7841)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:7841 advisory. Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. Security Fixes: firefox:...

RHEL 8 : firefox (RHSA-2026:7858)

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2026:7858 advisory. Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. Security Fixes: firefox:...

Oracle Linux 8 : nodejs:24 (ELSA-2026-7670)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2026-7670 advisory. nodejs 1:24.14.1-2 - Update bundled nghttp2 to 1.68.1 Related: RHEL-151374 1:24.14.1-1 - Update to 24.14.0 Resolves: RHEL-151374 nodejs-nodemon 3.0.3-1...

Important: nodejs:24 security update

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fixes: nodejs: Nodejs denial of service CVE-2026-21637 minimatch: minimatch: Denial of Service via specially crafted glob patterns CVE-2026-26996 undici:...

RHEL 9 : firefox (RHSA-2026:7837)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:7837 advisory. Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. Security Fixes: firefox:...

RHEL 10 : firefox (RHSA-2026:7843)

The remote Redhat Enterprise Linux 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2026:7843 advisory. Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. Security Fixes: firefox:...

RHEL 9 : firefox (RHSA-2026:7845)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:7845 advisory. Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. Security Fixes: firefox:...

Oracle Linux 10 : nodejs24 (ELSA-2026-7675)

The remote Oracle Linux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2026-7675 advisory. 1:24.14.1-2.0.2 - Rebuild to correct NVR 1:24.14.1-2.0.1 - Update upstream references Tenable has extracted the preceding description block directly...

EUVD-2017-18965

MDwiki contains a cross-site scripting vulnerability that allows remote attackers to execute arbitrary JavaScript by injecting malicious code through the location hash parameter. Attackers can craft URLs with JavaScript payloads in the hash fragment that are parsed and rendered without...

CVE-2017-20239

MDwiki contains a cross-site scripting vulnerability that allows remote attackers to execute arbitrary JavaScript by injecting malicious code through the location hash parameter. Attackers can craft URLs with JavaScript payloads in the hash fragment that are parsed and rendered without...

CVE-2017-20239

MDwiki contains a cross-site scripting vulnerability reachable through the location hash parameter. The issue allows remote attackers to execute arbitrary JavaScript in the victim’s browser by crafting a URL with a malicious hash fragment that is parsed and rendered without sanitization. Document...