Arbitrary Code Execution

binary-parser is vulnerable to Arbitrary Code Execution. The vulnerability is due to unsanitized interpolation of untrusted values into dynamically generated code, where attacker-controlled parser field names or encoding parameters are embedded directly into generated JavaScript, allowing arbitra...

CVE-2026-24037

Horilla is a free and open source Human Resource Management System HRMS. In version 1.4.0, the hasxss function attempts to block XSS by matching input against a set of regex patterns. However, the regexes are incomplete and context-agnostic, making them easy to bypass. Attackers are able to...

SUSE CVE-2026-23736

seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, due to improper input validation, a malicious object key can lead to prototype pollution during JSON deserialization. This vulnerability affects only JSON...

SUSE CVE-2026-24006

Seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, serialization of objects with extreme depth can exceed the maximum call stack limit. In version 1.4.1, Seroval introduces a depthLimit parameter in...

CVE-2025-69908

The CVE-2025-69908 entry concerns Newgen OmniApp, where an unauthenticated information disclosure vulnerability can enumerate valid privileged usernames through a publicly accessible client-side JavaScript resource. Affected component is the client-side JavaScript used by OmniApp; root cause is e...

CVE-2025-69908

An unauthenticated information disclosure vulnerability in Newgen OmniApp allows attackers to enumerate valid privileged usernames via a publicly accessible client-side JavaScript resource...

Newgen OmniApp security vulnerability

Newgen OmniApp is a mobile application development framework provided by the American company Newgen. Newgen OmniApp has a security vulnerability, which stems from the ability to enumerate valid privileged user names through publicly accessible client-side JavaScript resources, potentially leadin...

CVE-2025-69908

An unauthenticated information disclosure vulnerability in Newgen OmniApp allows attackers to enumerate valid privileged usernames via a publicly accessible client-side JavaScript resource...

PT-2026-4473

Name of the Vulnerable Software and Affected Versions Newgen OmniApp affected versions not specified Description An unauthenticated information disclosure issue exists in Newgen OmniApp. This allows attackers to identify valid privileged usernames through a publicly accessible client-side...

JS Secret Hunter 2

JS Secret Hunter is an advanced Python tool designed for security researchers to automate the detection of hardcoded secrets in client-side JavaScript. Unlike simple scanners, V2 includes a dynamic crawler that parses the HTML of the target website to extract all loaded JavaScript files...

CVE-2025-69908

An unauthenticated information disclosure vulnerability in Newgen OmniApp allows attackers to enumerate valid privileged usernames via a publicly accessible client-side JavaScript resource...

Google Chrome 安全漏洞

Google Chrome is a web browser from Google, an American company. Google Chrome suffers from a code execution vulnerability that stems from the V8 engine's lack of effective protection against concurrent access to shared resources, which can be exploited by an attacker to execute arbitrary code on...

CVE-2025-9289

A Cross-Site Scripting XSS vulnerability was identified in a parameter in Omada Controllers due to improper input sanitization. Exploitation requires advanced conditions, such as network positioning or emulating a trusted entity, and user interaction by an authenticated administrator. If...

CVE-2026-23516

CVAT is an open source interactive video and image annotation tool for computer vision. In versions 2.2.0 through 2.54.0, an attacker is able to execute arbitrary JavaScript in a victim user's CVAT UI session, provided that they are able to create a maliciously crafted label in a CVAT task or...

CVE-2025-9289

A Cross-Site Scripting XSS vulnerability was identified in a parameter in Omada Controllers due to improper input sanitization. Exploitation requires advanced conditions, such as network positioning or emulating a trusted entity, and user interaction by an authenticated administrator. If...

CVE-2025-9289

CVE-2025-9289 is a Cross-Site Scripting (XSS) vulnerability in Omada Controllers caused by improper input sanitization in a parameter. Exploitation requires specific conditions (network positioning or impersonating a trusted entity) and interaction from an authenticated administrator, potentially...

CVE-2026-22793

5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Prior to version 0.15.3, an unsafe option parsing vulnerability in the ECharts Markdown plugin allows any user able to submit ECharts code blocks to execute arbitrary JavaScript code in the...

Cross-site Scripting (XSS)

Overview @typebot.io/js is a Javascript library to display typebots on your website Affected versions of this package are vulnerable to Cross-site Scripting XSS via the imported bot preview. An attacker can access sensitive credentials belonging to other users by tricking a victim into previewing...

CVE-2021-47860

GetSimple CMS Custom JS 0.1 plugin contains a cross-site request forgery vulnerability that allows unauthenticated attackers to inject arbitrary client-side code into administrator browsers. Attackers can craft a malicious website that triggers a cross-site scripting payload to execute remote cod...

Security update for MozillaFirefox

This update for MozillaFirefox fixes the following issues: Update to Firefox Extended Support Release 140.7.0 ESR bsc1256340. MFSA 2026-03 CVE-2026-0877: Mitigation bypass in the DOM: Security component CVE-2026-0878: Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebG...