CVE-2025-59302

In Apache CloudStack improper control of generation of code 'Code Injection' vulnerability is found in the following APIs which are accessible only to admins. quotaTariffCreate quotaTariffUpdate createSecondaryStorageSelector updateSecondaryStorageSelector updateHost updateStorage This issue...

CVE-2025-59302 Apache CloudStack: Potential remote code execution on Javascript engine defined rules

In Apache CloudStack improper control of generation of code 'Code Injection' vulnerability is found in the following APIs which are accessible only to admins. quotaTariffCreate quotaTariffUpdate createSecondaryStorageSelector updateSecondaryStorageSelector updateHost updateStorage This issue...

CVE-2025-59302 Apache CloudStack: Potential remote code execution on Javascript engine defined rules

In Apache CloudStack improper control of generation of code 'Code Injection' vulnerability is found in the following APIs which are accessible only to admins. quotaTariffCreate quotaTariffUpdate createSecondaryStorageSelector updateSecondaryStorageSelector updateHost updateStorage This issue...

CVE-2025-59302

CVE-2025-59302 concerns Apache CloudStack where code injection is possible via admin-only APIs: quotaTariffCreate, quotaTariffUpdate, createSecondaryStorageSelector, updateSecondaryStorageSelector, updateHost, and updateStorage. The issue arises from improper control of code generation. A fix fla...

Remote Code Execution (RCE)

Happy DOM is vulnerable to Remote Code Execution RCE. The vulnerability is due to the use of a non-isolated Node.js VM context with JavaScript evaluation enabled by default, which allows an attacker to run untrusted code that can escape the sandbox—potentially gaining access to process-level...

EUVD-2025-199807

Malicious code in bitcoin-lib-js npm...

MAL-2025-191478 Malicious code in bitcoin-lib-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 480dbd7d7ec801a0212ee78ebb73268cd67ba4fb96b06ec563fbafe31aa10531 The package bitcoin-lib-js was found to contain malicious code. Source: ghsa-malware 95f79207062e8c5db317d3487c20f36927b99e9f0b9bfc2551c22a23d10c020f...

CVE-2025-66258

Stored Cross-Site Scripting via XML Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Stored XSS via crafted filenames injected into patchlist.xml. User-controlled filenames a...

UBUNTU-CVE-2025-66040

Spotipy is a Python library for the Spotify Web API. Prior to version 2.25.2, there is a cross-site scripting XSS vulnerability in the OAuth callback server that allows for JavaScript injection through the unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user's brows...

Cross-site Scripting (XSS)

Overview spotipy is an A light weight Python library for the Spotify Web API Affected versions of this package are vulnerable to Cross-site Scripting XSS via the RequestHandler.doGET function due to the error parameter in the OAuth callback server. An attacker can execute arbitrary JavaScript in...

PT-2025-48264

Name of the Vulnerable Software and Affected Versions Apache CloudStack versions 4.18.0 through 4.20.1 Apache CloudStack versions 4.21.0 through 4.21.9 Description An improper control of code generation 'Code Injection' issue exists in Apache CloudStack, specifically within several APIs accessibl...

CVE-2025-66040 Spotipy has a XSS vulnerability in OAuth callback server

Spotipy is a Python library for the Spotify Web API. Prior to version 2.25.2, there is a cross-site scripting XSS vulnerability in the OAuth callback server that allows for JavaScript injection through the unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user's brows...

CVE-2025-66040

Spotipy is a Python library for the Spotify Web API. Prior to version 2.25.2, there is a cross-site scripting XSS vulnerability in the OAuth callback server that allows for JavaScript injection through the unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user's brows...

CVE-2025-12571 Allocation of Resources Without Limits or Throttling in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an unauthenticated user to cause a Denial of Service condition by sending specifically crafted requests containing malicious JSON...

CVE-2025-64130

Zenitel TCIV-3+ is vulnerable to a reflected cross-site scripting vulnerability, which could allow a remote attacker to execute arbitrary JavaScript on the victim's browser...

CVE-2025-64130 Zenitel TCIV-3+ Cross-site Scripting

Zenitel TCIV-3+ is vulnerable to a reflected cross-site scripting vulnerability, which could allow a remote attacker to execute arbitrary JavaScript on the victim's browser...

CVE-2025-64130

Zenitel TCIV-3+ is affected by a reflected cross-site scripting vulnerability that could allow a remote attacker to run arbitrary JavaScript in a victim’s browser. The issue is described across multiple sources (NVD/Red Hat/EUVD/CVELIST/CISA) as a reflected XSS affecting the device, with the vuln...

CVE-2025-65237

A reflected cross-site scripted XSS vulnerability in OpenCode Systems USSD Gateway OC Release: 5 allows attackers to execute arbitrary JavaScript in the context of a user's browser via injecting a crafted payload...

CVE-2025-65026

esm.sh is a nobuild content delivery networkCDN for modern web development. Prior to version 136, The esm.sh CDN service contains a Template Literal Injection vulnerability CWE-94 in its CSS-to-JavaScript module conversion feature. When a CSS file is requested with the ?module query parameter,...

SUSE-SU-2025:2169-1 Security update for yelp

This update for yelp fixes the following issues: - CVE-2025-3155: JavaScript code execution and arbitrary file read through specially crafted help files and ghelp scheme URLs bsc1240688...