CVE-2026-24325

SAP BusinessObjects Enterprise contains a Stored XSS flaw due to insufficient encoding of user-controlled inputs. An admin user could inject JavaScript that executes when visiting the affected page. The issue has a CVSS v3.1 base score of 4.8 (Medium) with Network access, Low confidentiality and ...

Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Google Chrome

Affected Software: Google Chrome prior to version 121.0.6167.8...

Flowring Agentflow 跨站脚本漏洞

Flowring Agentflow is an intelligent process automation RPA platform developed by Flowring Corporation in China. Flowring Agentflow has a cross-site scripting vulnerability. This vulnerability stems from stored-xss scripts, which may allow authenticated remote attackers to inject persistent...

Flowring Agentflow 跨站脚本漏洞

Flowring Agentflow is an intelligent process automation RPA platform developed by Flowring Corporation in China. Flowring Agentflow has a cross-site scripting vulnerability, which stems from reflective cross-site scripting. This vulnerability could allow unverified remote attackers to execute...

PT-2026-7224

SAP BusinessObjects Enterprise does not sufficiently encode user-controlled inputs, leading to Stored Cross-Site Scripting XSS vulnerability. This enables an admin user to inject malicious JavaScript into a website and the injected script gets executed when the user visits the compromised page.Th...

CASL 安全漏洞

CASL is a JavaScript library developed by Serhii Stotskyi. Versions 2.4.0 to 6.7.4 of CASL contain security vulnerabilities, which stem from prototype pollution and may lead to logical errors or other attacks...

PT-2026-7239

AgentFlow developed by Flowring has a Stored Cross-Site Scripting vulnerability, allowing authenticated remote attackers to inject persistent JavaScript codes that are executed in users' browsers upon page load...

PT-2026-7263

Name of the Vulnerable Software and Affected Versions Sarman Soft CMS versions through 10022026 Description The software contains an Execution After Redirect EAR issue that allows for JSON Hijacking, also known as JavaScript Hijacking, and Authentication Bypass. This flaw occurs due to improper...

CVE-2026-25925

PowerDocu contains a Windows GUI executable to perform technical documentations. Prior to 2.4.0, PowerDocu contains a critical security vulnerability in how it parses JSON files within Flow or App packages. The application blindly trusts the $type property in JSON files, allowing an attacker to...

CVE-2026-25925

PowerDocu contains a Windows GUI executable to perform technical documentations. Prior to 2.4.0, PowerDocu contains a critical security vulnerability in how it parses JSON files within Flow or App packages. The application blindly trusts the $type property in JSON files, allowing an attacker to...

CVE-2026-25925 PowerDocu Affected by Remote Code Execution via Insecure Deserialization

PowerDocu contains a Windows GUI executable to perform technical documentations. Prior to 2.4.0, PowerDocu contains a critical security vulnerability in how it parses JSON files within Flow or App packages. The application blindly trusts the $type property in JSON files, allowing an attacker to...

Prototype Pollution

Overview org.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Prototype Pollution via the mergeConfig function. An attacker can cause the application to crash by supplying a malicious configuration object containing ...

LangSmith Client SDK Affected by Server-Side Request Forgery via Tracing Header Injection

Summary The LangSmith SDK's distributed tracing feature is vulnerable to Server-Side Request Forgery via malicious HTTP headers. An attacker can inject arbitrary apiurl values through the baggage header, causing the SDK to exfiltrate sensitive trace data to attacker-controlled endpoints. ---...

Cross-site Scripting (XSS)

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Entry Type Name field in the settings page. An attacker can execute arbitrary JavaScript code in the context of the admin panel by submitting specially crafte...

CVE-2026-25528

CVE-2026-25528 affects LangSmith Client SDKs with distributed tracing. The baggage header in HTTP requests could inject replica configurations (api_url/api_key), causing the SDK to send trace data to attacker-controlled endpoints via post()/patch() after a traced operation. Root cause: RunTree.fr...

CVE-2026-25528 LangSmith Client SDK Affected by Server-Side Request Forgery via Tracing Header Injection

LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. The LangSmith SDK's distributed tracing feature is vulnerable to Server-Side Request Forgery via malicious HTTP headers. An attacker can inject arbitrary apiurl values through the baggage header, causing the SDK to...

CVE-2026-25528 LangSmith Client SDK Affected by Server-Side Request Forgery via Tracing Header Injection

LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. The LangSmith SDK's distributed tracing feature is vulnerable to Server-Side Request Forgery via malicious HTTP headers. An attacker can inject arbitrary apiurl values through the baggage header, causing the SDK to...

CVE-2026-25528

LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. The LangSmith SDK's distributed tracing feature is vulnerable to Server-Side Request Forgery via malicious HTTP headers. An attacker can inject arbitrary apiurl values through the baggage header, causing the SDK to...

Cross-site Scripting (XSS)

craftcms/commerce is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper sanitization of the “Address Line 1” field in Inventory Locations, which allows an attacker to store and execute malicious JavaScript in an administrator’s browser via the admin panel...

Improper Isolation or Compartmentalization

Overview mcp-run-python is a Model Context Protocol server to run Python code in a sandbox. Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization via the runPython or runPythonAsync functions. An attacker can gain unauthorized access to and manipulate the...