CVE-2026-1191

CVE-2026-1191 concerns the WordPress plugin JavaScript Notifier, vulnerable to Stored Cross-Site Scripting via plugin settings in all versions up to 1.2.8. The root cause is insufficient input sanitization and output escaping on user-supplied attributes used in the wp_footer action. Exploitation ...

CVE-2025-69908

An unauthenticated information disclosure vulnerability in Newgen OmniApp allows attackers to enumerate valid privileged usernames via a publicly accessible client-side JavaScript resource...

EUVD-2026-4613

ChatterMate is a no-code AI chatbot agent framework. In versions 1.0.8 and below, the chatbot accepts and executes malicious HTML/JavaScript payloads when supplied as chat input. Specifically, an payload containing a javascript: URI can be processed and executed in the browser context. This allow...

CVE-2026-24399 ChatterMate has Stored Cross-Site Scripting (XSS) via Chatbot Input Execution

ChatterMate is a no-code AI chatbot agent framework. In versions 1.0.8 and below, the chatbot accepts and executes malicious HTML/JavaScript payloads when supplied as chat input. Specifically, an payload containing a javascript: URI can be processed and executed in the browser context. This allow...

CVE-2026-24399

ChatterMate is a no-code AI chatbot agent framework. In versions 1.0.8 and below, the chatbot accepts and executes malicious HTML/JavaScript payloads when supplied as chat input. Specifically, an payload containing a javascript: URI can be processed and executed in the browser context. This allow...

CVE-2026-24399

ChatterMate (no-code AI chatbot framework) is vulnerable in versions 1.0.8 and earlier due to input-processed HTML/JavaScript payloads. An iframe payload containing a javascript: URI can be processed in the browser context, allowing access to client-side data (localStorage tokens, cookies) and re...

CVE-2026-24399 ChatterMate has Stored Cross-Site Scripting (XSS) via Chatbot Input Execution

ChatterMate is a no-code AI chatbot agent framework. In versions 1.0.8 and below, the chatbot accepts and executes malicious HTML/JavaScript payloads when supplied as chat input. Specifically, an payload containing a javascript: URI can be processed and executed in the browser context. This allow...

WordPress Plugin JavaScript Notifier: Cross-Site Script Vulnerability

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

AlmaLinux 9 : thunderbird (ALSA-2026:0924)

The remote AlmaLinux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the ALSA-2026:0924 advisory. firefox: Spoofing issue in the Downloads Panel component CVE-2025-14327 firefox: Use-after-free in the JavaScript: GC component CVE-2026-0885 firefox:...

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : MozillaFirefox (SUSE-SU-2026:0260-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:0260-1 advisory. Update to Firefox Extended Support Release 140.7.0 ESR bsc1256340. - MFSA 2026-03 CVE-2026-0877:...

CVE-2026-24474

Summary: CVE-2026-24474 affects the Dioxus Components library (shadcn-style components for the Dioxus app framework). Prior to commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a, the function/use_animated_open formats a string for eval using a user-supplied id, enabling a potential JavaScript inject...

CVE-2026-24474 Dioxus Components has JavaScript injection via user-supplied IDs

Dioxus Components is a shadcn-style component library for the Dioxus app framework. Prior to commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a, useanimatedopen formats a string for eval with an id that can be user supplied. Commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a patches the issue...

CVE-2026-24474 Dioxus Components has JavaScript injection via user-supplied IDs

Dioxus Components is a shadcn-style component library for the Dioxus app framework. Prior to commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a, useanimatedopen formats a string for eval with an id that can be user supplied. Commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a patches the issue...

CVE-2026-24474 Dioxus Components has JavaScript injection via user-supplied IDs

Dioxus Components is a shadcn-style component library for the Dioxus app framework. Prior to commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a, useanimatedopen formats a string for eval with an id that can be user supplied. Commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a patches the issue...

CVE-2021-47892

PEEL Shopping 9.3.0 contains a stored cross-site scripting vulnerability in the 'Comments / Special Instructions' parameter of the purchase page. Attackers can inject malicious JavaScript payloads that will execute when the page is refreshed, potentially allowing client-side script execution...

CVE-2021-47906 BloofoxCMS 0.5.2.1 - 'text' Stored Cross Site Scripting

BloofoxCMS 0.5.2.1 contains a stored cross-site scripting vulnerability in the articles text parameter that allows authenticated attackers to inject malicious scripts. Attackers can insert malicious javascript payloads in the text field to execute scripts and potentially steal authenticated users...

CVE-2021-47897 PEEL Shopping 9.3.0 - 'address' Stored Cross-Site Scripting

PEEL Shopping 9.3.0 contains a stored cross-site scripting vulnerability in the address parameter of the changeparams.php script. Attackers can inject malicious JavaScript payloads that execute when users interact with the address text box, potentially enabling client-side script execution...

CVE-2021-47892

CVE-2021-47892 concerns PEEL Shopping 9.3.0 and a stored cross-site scripting vulnerability in the "Comments / Special Instructions" parameter of the purchase page. The issue allows injection of malicious JavaScript that is executed when the page is refreshed. The available connected sources clea...

CVE-2025-69908

An unauthenticated information disclosure vulnerability in Newgen OmniApp allows attackers to enumerate valid privileged usernames via a publicly accessible client-side JavaScript resource...

EUVD-2026-4322

A denial-of-service DoS vulnerability exists in google.protobuf.jsonformat.ParseDict in Python, where the maxrecursiondepth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can...