CVE-2023-38017

IBM Cloud Pak System is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session...

TYDAC AG MAP+ 安全漏洞

TYDAC AG MAP+ is a geographic information system platform developed by the Swiss company TYDAC. Version 3.4.0 of TYDAC AG MAP+ contains a security vulnerability. This vulnerability stems from a reflection-type cross-site scripting vulnerability in the PDF export function, which could allow...

PT-2026-6740

Millhouse-Project 1.414 contains a persistent cross-site scripting vulnerability in the comment submission functionality that allows attackers to inject malicious scripts. Attackers can post comments with embedded JavaScript through the 'content' parameter in add comment sql.php to execute...

Mattermost Confluence Plugin 安全漏洞

The Mattermost Confluence Plugin is a plugin developed by the American company Mattermost. Versions of the Mattermost Confluence Plugin prior to version 1.7.0 contained security vulnerabilities. These vulnerabilities stemmed from improper escaping of user-controlled display names during HTML...

PT-2026-6678

Name of the Vulnerable Software and Affected Versions TYDAC AG MAP+ version 3.4.0 Description A reflected cross-site scripting XSS flaw exists in the PDF export functionality. This allows unauthenticated attackers to create a malicious URL. If a victim accesses this URL, arbitrary JavaScript code...

PT-2026-6869

Summary A Path Traversal vulnerability in the Pydantic AI web UI allows an attacker to serve arbitrary JavaScript in the context of the application by crafting a malicious URL. If a victim clicks the link or visits it via an iframe, attacker-controlled code executes in their browser, enabling the...

PT-2026-6789

Name of the Vulnerable Software and Affected Versions Pydantic AI versions 1.34.0 through 1.50.9 Description Pydantic AI contains a path traversal issue in its web UI. A crafted URL can be used by an attacker to serve arbitrary JavaScript within the application's context. This allows execution of...

PT-2026-6729

Name of the Vulnerable Software and Affected Versions Mattermost Confluence plugin versions prior to 1.7.0 Description The Mattermost Confluence plugin does not properly sanitize user-controlled display names when rendering HTML templates. This allows authenticated Confluence users with malicious...

GHSA-JJPW-65FV-8G48 @nyariv/sandboxjs has Sandbox Escape via Prototype Whitelist Bypass and Host Prototype Pollution

Summary A sandbox escape is possible by shadowing hasOwnProperty on a sandbox object, which disables prototype whitelist enforcement in the property-access path. This permits direct access to proto and other blocked prototype properties, enabling host Object.prototype pollution and persistent...

CVE-2026-1301

In builds with PubSub and JSON enabled, a crafted JSON message can cause the decoder to write beyond a heap-allocated array before authentication, reliably crashing the process and corrupting memory...

CVE-2026-1301

CVE-2026-1301 pertains to o6 Automation GmbH Open62541 (Open62541/Open62541-like builds) where in PubSub with JSON decoding enabled a crafted JSON message can cause a heap-allocated array write beyond bounds before authentication, leading to a process crash and memory corruption. Affected compone...

GHSA-5JG5-XQFW-RV92 Microweber has a Cross-site Scripting vulnerability

Cross-site Scripting vulnerability in the "/admin/order/abandoned" endpoint of Microweber 2.0.19. An attacker can manipulate the "orderDirection" parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim's browser. The iss...

Cross-site Scripting (XSS)

Overview microweber/microweber is a new generation CMS with drag and drop. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the relid parameter in the /admin/category/create endpoint. An attacker can execute arbitrary JavaScript code in the context of an...

CVE-2025-15551

The response coming from TP-Link Archer MR200 v5.2, C20 v6, TL-WR850N v3, and TL-WR845N v4 for any request is getting executed by the JavaScript function like eval directly without any check. Attackers can exploit this vulnerability via a Man-in-the-Middle MitM attack to execute JavaScript code o...

CVE-2025-15551

The response coming from TP-Link Archer MR200 v5.2, C20 v5 and v6, TL-WR850N v3, and TL-WR845N v4 for any request is getting executed by the JavaScript function like eval directly without any check. Attackers can exploit this vulnerability via a Man-in-the-Middle MitM attack to execute JavaScript...

Cross-site Scripting (XSS)

Overview nicegui is a Create web-based user interfaces with Python. The nice way. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the ui.markdown function. An attacker can execute arbitrary JavaScript in the context of the user's browser by injecting malicious HTM...

NiceGUI's XSS vulnerability in ui.markdown() allows arbitrary JavaScript execution through unsanitized HTML content

Description The ui.markdown component uses the markdown2 library to convert markdown content to HTML, which is then rendered via innerHTML. By default, markdown2 allows raw HTML to pass through unchanged. This means that if an application renders user-controlled content through ui.markdown, an...

CVE-2025-15551 LAN Code Execution on TP-Link Archer MR200, Archer C20, TL-WR850N and TL-WR845N

The response coming from TP-Link Archer MR200 v5.2, C20 v5 and v6, TL-WR850N v3, and TL-WR845N v4 for any request is getting executed by the JavaScript function like eval directly without any check. Attackers can exploit this vulnerability via a Man-in-the-Middle MitM attack to execute JavaScript...

EUVD-2025-206826

The response coming from TP-Link Archer MR200 v5.2, C20 v6, TL-WR850N v3, and TL-WR845N v4 for any request is getting executed by the JavaScript function like eval directly without any check. Attackers can exploit this vulnerability via a Man-in-the-Middle MitM attack to execute JavaScript code o...

CVE-2025-15551 LAN Code Execution on TP-Link Archer MR200, Archer C20, TL-WR850N and TL-WR845N

The response coming from TP-Link Archer MR200 v5.2, C20 v5 and v6, TL-WR850N v3, and TL-WR845N v4 for any request is getting executed by the JavaScript function like eval directly without any check. Attackers can exploit this vulnerability via a Man-in-the-Middle MitM attack to execute JavaScript...