CVE-2025-71164

Typesetter CMS

CVE-2025-71164

Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting XSS vulnerability in the Editing component. The images parameter submitted as images in a POST request is reflected into an HTML href attribute without proper context-aware output encoding in...

Online shoppers at risk as Magecart skimming hits major payment networks

Researchers have been tracking a Magecart campaign that targets several major payment providers, including American Express, Diners Club, Discover, and Mastercard. Magecart is an umbrella term for criminal groups that specialize in stealing payment data from online checkout pages using malicious...

Cross-site Scripting (XSS)

React Router is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper handling of untrusted input in the meta / APIs during server-side rendering, which allows an attacker to inject malicious script content into generated script:ld+json tags and execute arbitrary JavaScript...

Security update for MozillaFirefox

This update for MozillaFirefox fixes the following issues: Update to Firefox Extended Support Release 140.7.0 ESR bsc1256340. MFSA 2026-03 CVE-2026-0877: Mitigation bypass in the DOM: Security component CVE-2026-0878: Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebG...

SUSE-SU-2026:0122-1 Security update for MozillaFirefox

This update for MozillaFirefox fixes the following issues: Update to Firefox Extended Support Release 140.7.0 ESR bsc1256340. - MFSA 2026-03 CVE-2026-0877: Mitigation bypass in the DOM: Security component CVE-2026-0878: Sandbox escape due to incorrect boundary conditions in the Graphics:...

Critical Node.js Vulnerability Can Cause Server Crashes via async_hooks Stack Overflow

Node.js has released updates to fix what it described as a critical security issue impacting "virtually every production Node.js app" that, if successfully exploited, could trigger a denial-of-service DoS condition. "Node.js/V8 makes a best-effort attempt to recover from stack space exhaustion wi...

SUSE CVE-2026-0884

Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7...

SUSE CVE-2026-0885

Use-after-free in the JavaScript: GC component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7...

PT-2026-2944

Name of the Vulnerable Software and Affected Versions Typesetter CMS versions up to and including 5.1 Description Typesetter CMS versions up to and including 5.1 have a reflected cross-site scripting XSS issue in the Editing component. The images parameter, submitted as images in a POST request, ...

PT-2026-2963

Name of the Vulnerable Software and Affected Versions Nexus Repository 3 affected versions not specified Description A reflected cross-site scripting issue exists that could allow attackers to execute JavaScript code in a user's browser. This requires a crafted request and user interaction. The...

MiracleLinux 8 : thunderbird-140.6.0-1.el8_10.ML.1 (AXSA:2026-021:01)

The remote MiracleLinux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2026-021:01 advisory. firefox: Memory safety bugs fixed in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146 CVE-2025-14333 firefox: Use-after-free...

CVE-2026-22813

OpenCode is an open source AI coding agent. The markdown renderer used for LLM responses will insert arbitrary HTML into the DOM. There is no sanitization with DOMPurify or even a CSP on the web interface to prevent JavaScript execution via HTML injection. This means controlling the LLM response...

CVE-2023-54332

Jetpack 11.4 contains a cross-site scripting vulnerability in the contact form module that allows attackers to inject malicious scripts through the postid parameter. Attackers can craft malicious URLs with script payloads to execute arbitrary JavaScript in victims' browsers when they interact wit...

CVE-2023-53985

Zstore, now referred to as Zippy CRM, 6.5.4 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts through unvalidated input parameters. Attackers can submit crafted payloads in manual insertion points to execute arbitrary JavaScript code in...

CVE-2023-53985

Zstore, now referred to as Zippy CRM, 6.5.4 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts through unvalidated input parameters. Attackers can submit crafted payloads in manual insertion points to execute arbitrary JavaScript code in...

CVE-2022-50896

Testa 3.5.1 contains a reflected cross-site scripting vulnerability in the login.php redirect parameter that allows attackers to inject malicious scripts. Attackers can craft a specially encoded payload in the redirect parameter to execute arbitrary JavaScript in victim's browser context...

CVE-2021-47750

YouPHPTube = 7.8 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the redirectUri parameter in the signup page. Attackers can craft special signup URLs with embedded script tags to execute arbitrary JavaScript in victims' browsers when they...

CVE-2021-47750

YouPHPTube = 7.8 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the redirectUri parameter in the signup page. Attackers can craft special signup URLs with embedded script tags to execute arbitrary JavaScript in victims' browsers when they...

CVE-2020-36919

WPForms 1.7.8 contains a cross-site scripting vulnerability in the slider import search feature and tab parameter. Attackers can inject malicious scripts through the ListTable.php endpoint to execute arbitrary JavaScript in victim's browser...