CVE-2026-27147

GetSimple CMS is a content management system. All versions of GetSimple CMS are vulnerable to XSS through SVG file uploads. Authenticated users can upload SVG files via the administrative upload functionality, but they are not properly sanitized or restricted, allowing an attacker to embed...

openSUSE 16 Security Update : chromium (openSUSE-SU-2026:20258-1)

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20258-1 advisory. Changes in chromium: - Chromium 145.0.7632.109 boo1258438: CVE-2026-2648: Heap buffer overflow in PDFium CVE-2026-2649: Integer overflow in V8...

CVE-2025-68846

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Paris Holley Asynchronous Javascript asynchronous-javascript allows Reflected XSS.This issue affects Asynchronous Javascript: from n/a through = 1.3.5...

CVE-2026-24959

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in JoomSky JS Help Desk js-support-ticket allows Blind SQL Injection.This issue affects JS Help Desk: from n/a through = 3.0.1...

CVE-2026-27505

SVXportal version 2.5 and prior contain a stored cross-site scripting vulnerability in the user registration workflow index.php submitting to admin/useraction.php. User-supplied fields such as Firstname, lastname, and email are stored in the backend database without adequate output encoding and a...

CVE-2026-27502

SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in log.php via the search query parameter. The application embeds the unsanitized parameter value directly into an HTML input value attribute, allowing an unauthenticated remote attacker to inject and execute...

CVE-2019-25445

Fiverr Clone Script 1.2.2 contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the keyword parameter. Attackers can craft URLs with script tags in the keyword parameter of search-results.php to execute arbitrary JavaScript...

CVE-2026-27503

SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in admin/log.php via the search query parameter. When an authenticated administrator views a crafted URL, the application embeds the unsanitized parameter value directly into an HTML input value attribute,...

CVE-2026-27458

LinkAce is a self-hosted archive to collect website links. Versions 2.4.2 and below have a Stored Cross-site Scripting vulnerability through the Atom feed endpoint for lists /lists/feed. An authenticated user can inject a CDATA-breaking payload into a list description that escapes the XML CDATA...

CVE-2026-27458

LinkAce versions 2.4.2 and earlier are affected by a Stored XSS in the Atom feed at /lists/feed. An authenticated user can inject a CDATA-breaking payload into a list description, escaping the CDATA and injecting an SVG element into the Atom XML, which the browser parses and executes as JavaScrip...

CVE-2026-27196

Statmatic is a Laravel and Git powered content management system CMS. Versions 5.73.8 and below in addition to 6.0.0-alpha.1 through 6.3.1 have a Stored XSS vulnerability in html fieldtypes which allows authenticated users with field management permissions to inject malicious JavaScript that...

OPENSUSE-SU-2026:20258-1 Security update for chromium

This update for chromium fixes the following issues: Changes in chromium: - Chromium 145.0.7632.109 boo1258438: CVE-2026-2648: Heap buffer overflow in PDFium CVE-2026-2649: Integer overflow in V8 CVE-2026-2650: Heap buffer overflow in Media...

CVE-2025-13672

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in OpenText™ Web Site Management Server allows Reflected XSS. The vulnerability could allow injecting malicious JavaScript inside URL parameters that was then rendered with the preview of the...

SUSE CVE-2026-26996

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service ReDoS when a glob pattern contains many consecutive wildcards followed by a literal character that doesn't appea...

LinkAce 安全漏洞

LinkAce is a self-hosted repository developed by Kevin Woblick, designed to collect links to your favorite websites. Versions of LinkAce 2.4.2 and earlier contained a security vulnerability; this vulnerability stemmed from a storage-type cross-site scripting vulnerability in the list’s Atom...

PT-2026-21363

LinkAce is a self-hosted archive to collect website links. Versions 2.4.2 and below have a Stored Cross-site Scripting vulnerability through the Atom feed endpoint for lists /lists/feed. An authenticated user can inject a CDATA-breaking payload into a list description that escapes the XML CDATA...

PT-2026-21401

Name of the Vulnerable Software and Affected Versions yt-dlp versions prior to 2026.02.21 Description The --netrc-cmd option in yt-dlp contains an arbitrary command injection issue. The argument passed to the command in this option is now limited to a safe subset of characters to address this. Th...

OneUptime 代码注入漏洞

OneUptime is a comprehensive open-source solution developed by OneUptime. It is used to monitor and manage your online services. Versions of OneUptime 9.5.13 and earlier contain a code injection vulnerability. This vulnerability stems from the use of the unsafe node:vm module in the custom...

CVE-2026-27169 OpenSift: Persistent XSS Chat Tool Rendering

OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Versions 1.1.2-alpha and below render untrusted user/model content in chat tool UI surfaces using unsafe HTML interpolation patterns, leading to XSS. Stored content can execute JavaScript when...

CVE-2019-25454

phpMoAdmin 1.1.5 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the collection parameter. Attackers can send GET requests to moadmin.php with script payloads in the collection parameter during collection...