CVE-2026-25500 Rack's Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href

Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, Rack::Directory generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the javascript: scheme e.g. javascript:alert1, the...

CVE-2026-25500 Rack's Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href

Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, Rack::Directory generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the javascript: scheme e.g. javascript:alert1, the...

CVE-2026-25500

Rack is a Ruby web server interface. CVE-2026-25500 affects Rack::Directory, where prior to versions 2.2.22, 3.1.20, and 3.2.5 an HTML directory index could include a link with href equal to javascript:alert(1), enabling stored XSS when a file on disk has a basename starting with the javascript: ...

CVE-2026-1438

Reflected Cross-Site Scripting XSS vulnerability in the Graylog Web Interface console, version 2.2.3, caused by a lack of proper sanitization and escaping in HTML output. Several endpoints include segments of the URL directly in the response without applying output encoding, allowing an attacker ...

CVE-2026-1437 Reflected Cross-Site Scripting (XSS) vulnerability in Graylog Web Interface

Reflected Cross-Site Scripting XSS vulnerability in the Graylog Web Interface console, version 2.2.3, caused by a lack of proper sanitization and escaping in HTML output. Several endpoints include segments of the URL directly in the response without applying output encoding, allowing an attacker ...

Node.js: Denial of Service via `__proto__` header name in `req.headersDistinct` (Uncaught `TypeError` crashes Node.js process)

Vulnerability description not provided...

RSEC-2026-0 Cross-site Request Forgery (CSRF) vulnerability

The widgetframe R package is exposed to a vulnerability due to its use of the Pym.js library version 1.3.1. This can result in arbitrary javascript code execution...

RLSA-2026:2782 Important: nodejs:22 security update

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fixes: nodejs: Nodejs filesystem permissions bypass CVE-2025-55132 nodejs: Nodejs denial of service CVE-2026-21637 nodejs: Nodejs denial of service...

KLA90896 Multiple vulnerabilities in Google Chrome

Multiple vulnerabilities were found in Google Chrome. Malicious users can exploit these vulnerabilities to cause denial of service, execute arbitrary code. Below is a complete list of vulnerabilities: 1. Heap buffer overflow vulnerability in PDFium can be exploited to cause denial of service. 2...

Google Chrome 安全漏洞

Google Chrome is a web browser developed by Google Inc. Versions of Google Chrome prior to 145.0.7632.109 contained a security vulnerability, which was caused by integer overflow in the V8 component, potentially leading to heap corruption...

ezBookkeeping 安全漏洞

ezBookkeeping is a lightweight personal accounting application developed by mayswind developers. Versions of ezBookkeeping 1.2.0 and earlier contained security vulnerabilities. These vulnerabilities stemmed from the lack of validation of nested depths during the processing of JSON and XML file...

Important: firefox

Issue Overview: Spoofing issue in the Downloads Panel component. This vulnerability affects Firefox 146. CVE-2025-14327 Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox 147, Firefox ESR 115.32, and Firefox ESR 140.7. CVE-2026-0877 Sandbox escape due to incorrec...

Bematech MP-4200 TH 跨站脚本漏洞

The Bematech MP-4200 TH is a thermal receipt printer produced by the British company Bematech. The Bematech MP-4200 TH has a cross-site scripting vulnerability. This vulnerability stems from a cross-site scripting vulnerability present in the administrator configuration page, which may allow...

PT-2026-20502

IPFire 2.21 Core Update 127 contains multiple reflected cross-site scripting vulnerabilities in the fwhosts.cgi script that allow attackers to inject malicious scripts through multiple parameters including HOSTNAME, IP, SUBNET, NETREMARK, HOSTREMARK, newhost, grp name, remark, SRV NAME, SRV PORT,...

PT-2026-20393

Reflected Cross-Site Scripting XSS vulnerability in the Graylog Web Interface console, version 2.2.3, caused by a lack of proper sanitization and escaping in HTML output. Several endpoints include segments of the URL directly in the response without applying output encoding, allowing an attacker ...

Google Chrome < 145.0.7632.109 Multiple Vulnerabilities

The version of Google Chrome installed on the remote Windows host is prior to 145.0.7632.109. It is, therefore, affected by multiple vulnerabilities as referenced in the 202602stable-channel-update-for-desktop18 advisory. - Heap buffer overflow in Media in Google Chrome prior to 145.0.7632.109...

Stable Channel Update for Desktop

The Stable channel has been updated to 145.0.7632.109/110 for Windows/Mac and 145.0.7632.109 for Linux, which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log Security Fixes and Rewards Note: Access to bug details and links may be kept...

Rack 跨站脚本漏洞

Rack is a modular Ruby web server interface developed by the Rack open source project. Versions of Rack prior to 2.2.22, 3.1.20, and 3.2.5 had a cross-site scripting vulnerability. This vulnerability stemmed from the HTML directory index generated by Rack::Directory, which contained clickable...

GHSA-WHRJ-4476-WVMP Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href

Summary Rack::Directory generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename begins with the javascript: scheme e.g. javascript:alert1, the generated index includes an anchor whose href attribute is exactly...

Cross-site Scripting (XSS)

Overview rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between the so-called middleware into a singl...