CVE-2026-4461

Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Chromium security severity: High...

PT-2026-26506

ChurchCRM is an open-source church management system. Versions prior to 7.0.2 allow an admin user to edit JSON type system settings to store a JavaScript payload that can execute when any admin views the system settings. The JSON input is left unescaped/unsanitized in SystemSettings.php, leading ...

CVE-2026-30578

File Thinghie 2.5.7 is vulnerable to Cross Site Scripting XSS. A malicious user can leverage the "dir" parameter of the GET request to invoke arbitrary javascript code...

CVE-2026-4447

Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: High...

Spring Framework 安全漏洞

The Spring Framework is an application development framework developed by Spring in open source. There are security vulnerabilities in Spring Framework versions 7.0.5 and earlier, 6.2.16 and earlier, 6.1.25 and earlier, and 5.3.46 and earlier. These vulnerabilities stem from the use of Java scrip...

ChurchCRM 安全漏洞

ChurchCRM is an open-source CRM system developed for churches. Versions of ChurchCRM prior to 7.0.2 contained security vulnerabilities. These vulnerabilities stemmed from improper cleaning of JSON inputs in the SystemSettings.php file, which could lead to cross-site scripting attacks...

CVE-2026-30578

The CVE-2026-30578 entry concerns File Thinghie 2.5.7, vulnerable to Cross Site Scripting (XSS) via the dir parameter in GET requests, allowing injection of arbitrary JavaScript code. Reported across multiple feeds (Red Hat, ENISA/EUVD, NVD, CVE List, CIRCL, CNNVD, AttackersKB, etc.). The availab...

PT-2026-26647

CVE-2026-30579 File Thingie 2.5.7 is vulnerable to Cross Site Scripting XSS. A malicious user can leverage the "upload file" functionality to upload a file with a crafted file nam… https://t.co/N4t4f6wlMZ...

CVE-2026-30579

File Thingie 2.5.7 is vulnerable to Cross Site Scripting XSS. A malicious user can leverage the "upload file" functionality to upload a file with a crafted file name used to trigger a Javascript payload...

PT-2026-26651

XinLiangCoder php api doc through commit 1ce5bbf contains a reflected cross-site scripting vulnerability in list method.php that allows remote attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious code through the f parameter. Attackers can craft a malicious URL...

PT-2026-26646

CVE-2026-30578 File Thinghie 2.5.7 is vulnerable to Cross Site Scripting XSS. A malicious user can leverage the "dir" parameter of the GET request to invoke arbitrary javascript c… https://t.co/280mfkh6c3...

Red Hat OpenShift AI 安全漏洞

Red Hat OpenShift AI is an AI lifecycle management platform developed by Red Hat Inc. There is a security vulnerability in Red Hat OpenShift AI, which stems from improper endpoint access control at the /save-document endpoint. This vulnerability could allow unverified remote attackers to write...

CVE-2026-22737

Use of Java scripting engine enabled e.g. JRuby, Jython template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0...

CVE-2026-33395 Discourse has stored click‑based XSS via Graphviz SVG javascript: links

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the discourse-graphviz plugin contains a stored cross-site scripting XSS vulnerability that allows authenticated users to inject malicious JavaScript code through DOT graph definitions. F...

CVE-2026-32754

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Versions 1.8.208 and below are vulnerable to Stored Cross-Site Scripting XSS through FreeScout's email notification templates. Incoming email bodies are stored in the database without sanitization and rendered...

EUVD-2026-13328

OpenClaw versions prior to 2026.2.23 contain an html injection vulnerability in the HTML session exporter that allows attackers to execute arbitrary javascript by injecting malicious mimeType values in image content blocks. Attackers can craft session entries with specially crafted mimeType...

CVE-2026-33346 OpenEMR has stored XSS in portal_payment.php via Unescaped table_args

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, a stored cross-site scripting XSS vulnerability in the patient portal payment flow allows a patient portal user to persist arbitrary JavaScript that executes in the browser o...

CVE-2026-32119 OpenEMR has Stored DOM XSS via SearchHighlight text-node reconstruction on Custom Report page

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, DOM-based stored XSS in the jQuery SearchHighlight plugin library/js/SearchHighlight.js allows an authenticated user with encounter form write access to inject arbitrary...

GHSA-JP2Q-39XQ-3W4G Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser

Summary The DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration limits. When a developer explicitly sets either limit to 0 — intending to disallow all entities or restrict entity size to zero bytes — the falsy nature of 0 in...

Server-side Request Forgery (SSRF)

Overview league/commonmark is a PHP-based Markdown parser which supports the full CommonMark spec. It is based on the CommonMark JS reference implementation. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the DomainFilteringAdapter process. An attacker ca...