CVE-2025-52470

Chamilo is a learning management system. Prior to version 1.11.30, a stored cross-site scripting XSS vulnerability exists in the sessioncategoryadd.php script. The vulnerability is caused by improper sanitization of the Category Name field, allowing privileged users to inject persistent JavaScrip...

CVE-2026-3244

In Concrete CMS below version 9.4.8, A stored cross-site scripting XSS vulnerability exists in the search block where page names and content are rendered without proper HTML encoding in search results. This allows authenticated, rogue administrators to inject malicious JavaScript through page nam...

CVE-2026-3244

Concrete CMS versions below 9.4.8 are affected by a stored XSS in the search block, where page names and content render without HTML encoding, enabling an authenticated rogue administrator to inject JavaScript that runs when users run and view search results. The issue is documented with CVSS v4....

Cisco Secure Firewall Threat Defense和Cisco IOS XE Software 资源管理错误漏洞

Cisco Secure Firewall Threat Defense and Cisco IOS XE Software are both products of the American company Cisco. Cisco Secure Firewall Threat Defense is an integrated firewall platform. Cisco IOS XE Software is a network operating system. Both Cisco Secure Firewall Threat Defense and Cisco IOS XE...

PT-2026-23097

Name of the Vulnerable Software and Affected Versions Locutus versions prior to 3.0.0 Description Locutus, a library designed to bring standard libraries from other programming languages to JavaScript for educational purposes, contains a remote code execution RCE flaw. This issue resides within t...

PT-2026-22866

In Concrete CMS below version 9.4.8, a stored cross-site scripting XSS vulnerability exists in the "Legacy Form" block. An authenticated user with permissions to create or edit forms e.g., a rogue administrator can inject a persistent JavaScript payload into the options of a multiple-choice...

RHEL 9 : firefox (RHSA-2026:3493)

The remote Redhat Enterprise Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2026:3493 advisory. Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. Security Fixes: libvpx: Heap...

PT-2026-23094

Name of the Vulnerable Software and Affected Versions Immutable.js versions prior to 3.8.3 Immutable.js versions prior to 4.3.7 Immutable.js versions prior to 5.1.5 Description A Prototype Pollution issue exists in Immutable.js through versions prior to 3.8.3, 4.3.7, and 5.1.5, specifically withi...

Simplejobscript 跨站脚本漏洞

Simplejobscript is a free web development software open source by Niteosoft. Simplejobscript has a cross-site scripting vulnerability; this vulnerability stems from the jobtypevalue parameter having cross-site scripting capabilities, which may allow unverified attackers to inject malicious script...

FreeBSD : Firefox -- Multiple vulnerabilities (1124a7b0-1338-11f1-a55d-b42e991fc52e)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 1124a7b0-1338-11f1-a55d-b42e991fc52e advisory. CVE-2026-2807: Memory safety bugs present in Firefox 147 and Thunderbird 147 CVE-2026-2806:...

PT-2026-23102

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.5.9 Description SiYuan, a personal knowledge management system, contains a reflected cross-site scripting XSS issue in the dynamic icon API endpoint. The vulnerability occurs when the type parameter is set to 8,...

CVE-2026-26272

HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, a stored cross-site scripting XSS vulnerability exists in the item attachment upload functionality. The application does not properly validate or restrict uploaded file types, allowing an authenticated user to upload...

AZL-79340 CVE-2026-27601 affecting package cyrus-sasl 2.1.28-8

Underscore.js is a utility-belt library for JavaScript. Prior to 1.13.8, the .flatten and .isEqual functions use recursion without a depth limit. Under very specific conditions, detailed below, an attacker could exploit this in a Denial of Service DoS attack by triggering a stack overflow...

CVE-2026-27601 Underscore.js has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack

Underscore.js is a utility-belt library for JavaScript. Prior to 1.13.8, the .flatten and .isEqual functions use recursion without a depth limit. Under very specific conditions, detailed below, an attacker could exploit this in a Denial of Service DoS attack by triggering a stack overflow...

CVE-2026-26272 HomeBox affected by Stored XSS via HTML/SVG Attachment Upload

HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, a stored cross-site scripting XSS vulnerability exists in the item attachment upload functionality. The application does not properly validate or restrict uploaded file types, allowing an authenticated user to upload...

CVE-2026-26272

HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, a stored cross-site scripting XSS vulnerability exists in the item attachment upload functionality. The application does not properly validate or restrict uploaded file types, allowing an authenticated user to upload...

Cross-site Scripting (XSS)

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Cross-site Scripting XSS via template.js. An attacker can execute arbitrary JavaScript in the context of the exported HTML by injecting a crafted value into the mimeType field of an image...

CVE-2026-0540

DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements noscript, xmp, noembed, noframes, iframe in the SAFEFORXML regex. Attacke...

CVE-2021-35483

The Applications component of Nokia IMPACT version through 19.11.2.10-20210118042150283 allows an authenticated user to arbitrarily upload JavaScript files via the /ui/rest-proxy/application fileupload parameter. This can occur during the adding of a new application, or during the editing of an...

CVE-2021-35483

The Applications component of Nokia IMPACT version through 19.11.2.10-20210118042150283 allows an authenticated user to arbitrarily upload JavaScript files via the /ui/rest-proxy/application fileupload parameter. This can occur during the adding of a new application, or during the editing of an...