CVE-2026-23960 Argo Workflows affected by stored XSS in the artifact directory listing

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.6.17 and 3.7.8, stored XSS in the artifact directory listing allows any workflow author to execute arbitrary JavaScript in another user’s browser under the Argo...

CVE-2026-23960

CVE-2026-23960 affects Argo Workflows prior to versions 3.6.17 and 3.7.8. A stored XSS vulnerability in the artifact directory listing can cause arbitrary JavaScript to run in another user’s browser within the Argo Server origin, enabling actions with the victim’s privileges. Affected component: ...

GHSA-CV78-6M8Q-PH82 Argo Workflows affected by stored XSS in the artifact directory listing

Summary Stored XSS in the artifact directory listing allows any workflow author to execute arbitrary JavaScript in another user’s browser under the Argo Server origin, enabling API actions with the victim’s privileges. Details The directory listing response in server/artifacts/artifactserver.go...

Argo Workflows affected by stored XSS in the artifact directory listing

Summary Stored XSS in the artifact directory listing allows any workflow author to execute arbitrary JavaScript in another user’s browser under the Argo Server origin, enabling API actions with the victim’s privileges. Details The directory listing response in server/artifacts/artifactserver.go...

CVE-2026-23516

CVAT is an open source interactive video and image annotation tool for computer vision. In versions 2.2.0 through 2.54.0, an attacker is able to execute arbitrary JavaScript in a victim user's CVAT UI session, provided that they are able to create a maliciously crafted label in a CVAT task or...

CVE-2026-22792

5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Prior to version 0.15.3, an unsafe HTML rendering permits untrusted HTML including on event attributes to execute in the renderer context. An attacker can inject an payload to run arbitrary...

CVE-2026-22792 5ire vulnerable to Remote Code Execution (RCE)

5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Prior to version 0.15.3, an unsafe HTML rendering permits untrusted HTML including on event attributes to execute in the renderer context. An attacker can inject an payload to run arbitrary...

CVE-2026-1245

A code injection vulnerability in the binary-parser library prior to version 2.3.0 allows arbitrary JavaScript code execution when untrusted values are used in parser field names or encoding parameters. The library directly interpolates these values into dynamically generated code without...

CVE-2021-47860

GetSimple CMS Custom JS 0.1 plugin contains a cross-site request forgery vulnerability that allows unauthenticated attackers to inject arbitrary client-side code into administrator browsers. Attackers can craft a malicious website that triggers a cross-site scripting payload to execute remote cod...

CVE-2021-47860

CVE-2021-47860 concerns GetSimple CMS Custom JS 0.1. The vulnerability is a cross-site request forgery that can enable unauthenticated attackers to inject arbitrary client-side code into administrator browsers, potentially triggering a reflected XSS payload to execute remote code on the hosting s...

EUVD-2026-3618

OpenEMR 5.0.2.1 contains a cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript through user profile parameters. Attackers can exploit the vulnerability by crafting a malicious payload to download and execute a web shell, enabling remote command...

CVE-2025-57681

The WorklogPRO - Timesheets for Jira plugin in Jira Data Center before version 4.23.6-jira10 and before version 4.23.5-jira9 allows users and attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability. The vulnerability is exploited via a specially crafted paylo...

GHSA-3RXJ-6CGF-8CFW seroval Affected by Remote Code Execution via JSON Deserialization

Improper input handling in the JSON deserialization component can lead to arbitrary JavaScript code execution. The vulnerability can be exploited via overriding constant value and error deserialization, which allows indirect access to unsafe JS evaluation. This requires at least the ability to...

seroval Affected by Remote Code Execution via JSON Deserialization

Improper input handling in the JSON deserialization component can lead to arbitrary JavaScript code execution. The vulnerability can be exploited via overriding constant value and error deserialization, which allows indirect access to unsafe JS evaluation. This requires at least the ability to...

EUVD-2026-3680

seroval Affected by Prototype Pollution via JSON Deserialization...

org.webjars.npm:solid-js (=1.9.5) potentially affected by CVE-2026-23736 via org.webjars.npm:seroval (=1.2.1)

org.webjars.npm:seroval MAVEN version =1.2.1 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:seroval and may be impacted: - org.webjars.npm:solid-js =1.9.5 Source cves: CVE-2026-23736 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15054524...

GHSA-HJ76-42VX-JWP4 seroval Affected by Prototype Pollution via JSON Deserialization

Due to improper input validation, a malicious object key can lead to prototype pollution during JSON deserialization. This affects only JSON deserialization functionality. As there is no known workaround, please upgrade to the latest version...

CVE-2025-58090

Multiple reflected cross-site scripting xss vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities.This...

CVE-2025-58092

Multiple reflected cross-site scripting xss vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities.This...

CVE-2025-58093

Multiple reflected cross-site scripting xss vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities.This...