PT-2026-21318

OrientDB 3.0.17 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by creating users with script payloads in the name parameter. Attackers can send POST requests to the document endpoint with JavaScript code in the name field to...

PT-2026-21329

OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Versions 1.1.2-alpha and below render untrusted user/model content in chat tool UI surfaces using unsafe HTML interpolation patterns, leading to XSS. Stored content can execute JavaScript when...

Phpscriptsmall Fiverr Clone Script 跨站脚本漏洞

Phpscriptsmall Fiverr Clone Script is a set of software scripts developed by Phpscriptsmall. The Phpscriptsmall Fiverr Clone Script 1.2.2 version contains a cross-site scripting vulnerability. This vulnerability stems from the keyword parameter being susceptible to cross-site scripting attacks,...

PT-2026-21341

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 21.0 AVideo version 18.0 Description AVideo allows Markdown in video comments and uses Parsedown v1.7.4 without Safe Mode enabled. Markdown links are not sufficiently sanitized, allowing javascript: URIs to be rendered...

PT-2026-21274

SVXportal version 2.5 and prior contain a stored cross-site scripting vulnerability in the user registration workflow index.php submitting to admin/user action.php. User-supplied fields such as Firstname, lastname, and email are stored in the backend database without adequate output encoding and...

PT-2026-21290

Name of the Vulnerable Software and Affected Versions Google Cloud Vertex AI SDK google-cloud-aiplatform versions 1.98.0 through 1.130.9 Description A Stored Cross-Site Scripting XSS issue exists in the genai/ evals visualization component of Google Cloud Vertex AI SDK. This allows an...

CVE-2026-25940

A flaw was found in jsPDF. The properties and methods of the Acroform module accept user input without sanitization, allowing an attacker to inject arbitrary PDF objects, such as JavaScript actions. Specifically, if an attacker can supply a specially crafted input to the...

CVE-2026-26280

CVE-2026-26280 affects the systeminformation library for Node.js. In versions prior to 5.30.8, wifiNetworks() is vulnerable to command injection: if the initial interface input yields no results, a retry path calls getWifiNetworkListIw(iface) with the original, unsanitized iface value, which is p...

CVE-2026-26278

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible ...

jsPDF has a PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton.createOption and "AS" property)

Impact User control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to the following property, a user can inject arbitrary PDF objects, such as JavaScript actions, which a...

Improper Encoding or Escaping of Output

Overview Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the appearanceState property of the AcroForm module. An attacker can execute arbitrary JavaScript code in the context of the PDF viewer by injecting malicious input into this property, which i...

GHSA-P5XG-68WR-HM3M jsPDF has a PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton.createOption and "AS" property)

Impact User control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to the following property, a user can inject arbitrary PDF objects, such as JavaScript actions, which a...

GHSA-9VJF-QC39-JPRP jsPDF has a PDF Object Injection via Unsanitized Input in addJS Method

Impact User control of the argument of the addJS method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious actions or alter the document structure, impacting any user...

CVE-2026-26059

ChurchCRM is an open-source church management system. In versions prior to 6.8.2, it was possible for an authenticated user with permission to edit groups to store a JavaScript payload that would execute when the group was viewed in the Group View. Version 6.8.2 fixes this issue...

CVE-2026-26059

CVE-2026-26059 affects ChurchCRM prior to 6.8.2 and is a stored XSS in GroupEditor.php: an authenticated user with group-edit permissions could store a JavaScript payload that executes when the group is viewed. The issue is fixed in version 6.8.2. If upgrading is possible, apply 6.8.2 or newer to...

CVE-2026-23613

CVE-2026-23613 affects GFI MailEssentials AI prior to 22.4. A stored cross-site scripting vulnerability exists in the DNS Blocklist URI configuration page. An authenticated user can submit HTML/JavaScript via the ctl00$ContentPlaceHolder1$pv1$TXB_URIs parameter to /MailEssentials/pages/MailSecuri...

CVE-2026-23612 GFI MailEssentials AI < 22.4 Anti-Spam IP DNS Blocklist Domain Stored XSS

GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the IP DNS Blocklist configuration page. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv1$TXBIPs parameter to...

CVE-2026-23611 GFI MailEssentials AI < 22.4 Anti-Spam IP Blocklist Description Stored XSS

GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the IP Blocklist management page. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv1$txtIPDescription parameter to...

CVE-2026-23609

GFI MailEssentials AI (versions prior to 22.4) contains a stored cross-site scripting vulnerability in the Perimeter SMTP Servers configuration page. An authenticated user can submit HTML/JavaScript to ctl00$ContentPlaceHolder1$pv3$txtDescription on /MailEssentials/pages/MailSecurity/PerimeterSMT...

CVE-2026-23608 GFI MailEssentials AI < 22.4 Email Management Mail Monitoring Rule Stored XSS

GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Mail Monitoring rule creation endpoint. An authenticated user can supply HTML/JavaScript in the JSON "name" field to /MailEssentials/pages/MailSecurity/MailMonitoring.aspx/Save, which is stored...