CVE-2026-0835

IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.1.0.0 through 6.1.2.72, 6.2.0.0 through 6.2.0.51, 6.2.1.0 through 6.2.1.11, and 6.2.2.0 are vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus alterin...

CVE-2026-22210 wpDiscuz before 7.6.47 - Cross-Site Scripting via Unescaped Attachment URLs

wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability that allows attackers to inject malicious code through unescaped attachment URLs in HTML output by exploiting the WpdiscuzHelperUpload class. Attackers can craft malicious attachment records or filter hooks to inject arbitrary...

IBM Sterling B2B Integrator和IBM Sterling File Gateway 跨站脚本漏洞

IBM Sterling B2B Integrator and IBM Sterling File Gateway are both products of International Business Machines IBM. IBM Sterling B2B Integrator is a software suite that integrates critical B2B processes, transactions, and relationships. This software supports secure integration of complex B2B...

Statamic 跨站脚本漏洞

Statamic is a powerful flat-file CMS built using Laravel by Statamic Inc. It allows for storing all content, templates, assets, and settings in files rather than in a database. Versions of Statamic prior to 6.6.2 had a cross-site scripting vulnerability. This vulnerability stemmed from a...

EUVD-2026-11180

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user, when the markdownplaceholders feature flag was enabled, to inject JavaScript in a browser due to improper...

CVE-2026-1090

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user, when the markdownplaceholders feature flag was enabled, to inject JavaScript in a browser due to improper...

CVE-2026-1090

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user, when the markdownplaceholders feature flag was enabled, to inject JavaScript in a browser due to improper...

CVE-2026-1090 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user, when the markdownplaceholders feature flag was enabled, to inject JavaScript in a browser due to improper...

CVE-2026-1090

Removed by vendor...

GitLab 跨站脚本漏洞

GitLab is an end-to-end software development platform provided by the American company GitLab. It features built-in version control, issue tracking, code review, and CI/CD Continuous Integration and Delivery capabilities. GitLab has a cross-site scripting vulnerability, which stems from improper...

PT-2026-24713

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user, when the markdown placeholders feature flag was enabled, to inject JavaScript in a browser due to improper...

GitLab 10.6 < 18.7.6 / 18.8 < 18.8.6 / 18.9 < 18.9.2 (CVE-2026-1090)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user, when the...

CVE-2026-31807

SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer SanitizeSVG blocks dangerous elements , , and removes on event handlers and javascript: in href attributes. However, it does NOT block SVG animation elements , which can dynamically set attributes to dangero...

Schneider Electric多款产品 跨站脚本漏洞

Schneider Electric Modicon M258 is a product of the French company Schneider Electric. Schneider Electric Modicon M258 is a programmable automation controller. Schneider Electric Modicon M241 is a programmable logic controller. Schneider Electric Modicon M251 is also a programmable logic...

Cross-site Scripting (XSS)

Astro is vulnerable to Cross Site Scripting XSS. The vulnerability is due to a Reflected Cross-Site Scripting XSS vulnerability in Astro's development server error pages when the trailingSlash configuration option is used, where an attacker can inject arbitrary JavaScript code that executes in th...

CVE-2026-29091 Locutus: Remote Code Execution (RCE) in locutus call_user_func_array due to Code Injection

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.0, a remote code execution RCE flaw was discovered in the locutus project, specifically within the calluserfuncarray function implementation. The vulnerability allows an attacker to...

Linux Distros Unpatched Vulnerability : CVE-2025-64999

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Improper neutralization of input in Checkmk versions 2.4.0 before 2.4.0p22, and 2.3.0 before 2.3.0p43 allows an attacker that can manipulate a host's check outp...

CVE-2026-3241

In Concrete CMS below version 9.4.8, a stored cross-site scripting XSS vulnerability exists in the "Legacy Form" block. An authenticated user with permissions to create or edit forms e.g., a rogue administrator can inject a persistent JavaScript payload into the options of a multiple-choice...

CVE-2026-3244

In Concrete CMS below version 9.4.8, A stored cross-site scripting XSS vulnerability exists in the search block where page names and content are rendered without proper HTML encoding in search results. This allows authenticated, rogue administrators to inject malicious JavaScript through page nam...

CVE-2026-3244

In Concrete CMS below version 9.4.8, A stored cross-site scripting XSS vulnerability exists in the search block where page names and content are rendered without proper HTML encoding in search results. This allows authenticated, rogue administrators to inject malicious JavaScript through page nam...