CVE-2025-26621

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.5.2, any user with the capability manage customizations can edit webhook that will execute javascript code. This can be abused to cause a denial of service attack by prototype...

Mozilla Thunderbird Cross-Site Scripting Vulnerability (CNVD-2025-18673)

Mozilla Thunderbird is the United States Mozilla Foundation's set of independent from the Mozilla Application Suite e-mail client software. The program supports IMAP, POP mail protocols and HTML mail format. A cross-site scripting vulnerability exists in Mozilla Thunderbird, which stems from...

grafana: Cross-site Scripting (XSS) in Grafana via Custom Frontend Plugins and Open Redirect

A flaw was found in Grafana's custom frontend plugin handling. This vulnerability allows an attacker to perform a cross-site scripting XSS attack by exploiting a client path traversal and an open redirect issue, leading to arbitrary JavaScript execution and potential user redirection to malicious...

grafana: Cross-site Scripting (XSS) in Grafana via Custom Frontend Plugins and Open Redirect

A flaw was found in Grafana's custom frontend plugin handling. This vulnerability allows an attacker to perform a cross-site scripting XSS attack by exploiting a client path traversal and an open redirect issue, leading to arbitrary JavaScript execution and potential user redirection to malicious...

grafana: Cross-site Scripting (XSS) in Grafana via Custom Frontend Plugins and Open Redirect

A flaw was found in Grafana's custom frontend plugin handling. This vulnerability allows an attacker to perform a cross-site scripting XSS attack by exploiting a client path traversal and an open redirect issue, leading to arbitrary JavaScript execution and potential user redirection to malicious...

Cross-Site Scripting

Bootstrap Multiselect is vulnerable to Reflective Cross-Site Scripting XSS. The vulnerability is due to unsanitized output of POST data in a PHP script, which allows attackers to execute arbitrary JavaScript in the context of a victim's browser through Cross-Site Request Forgery CSRF...

OpenCTI 代码注入漏洞

OpenCTI is an open source cyber threat intelligence platform from OpenCTI Open Source. A code injection vulnerability exists in versions prior to OpenCTI 6.5.2, which originates from a user-editable webhook that executes JavaScript code, potentially leading to a denial-of-service attack...

CVE-2024-13914

The File Manager Advanced Shortcode plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.4 file-manager-advanced-shortcode and 2.5.6 advanced-file-manager-pro-premium, via the 'filemanageradvanced' shortcode. This makes it possible for authenticated...

[SECURITY] [DSA 5921-1] thunderbird security update

------------------------------------------------------------------------- Debian Security Advisory DSA-5921-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff May 16, 2025 https://www.debian.org/security/faq -...

CVE-2025-40632

Cross-site scripting XSS in Icewarp Mail Server affecting version 11.4.0. This vulnerability allows an attacker to modify the “lastLogin” cookie with malicious JavaScript code that will be executed when the page is rendered...

CVE-2025-40631 HTTP host header injection vulnerability in IceWarp Mail Server

HTTP host header injection vulnerability in Icewarp Mail Server affecting version 11.4.0. By modifying the Host header and adding a payload, arbitrary JavaScript code can be executed on page load. The user must interact with a malicious link to be redirected...

Exploit for Improper Check for Unusual or Exceptional Conditions in Mozilla Firefox

!IMPORTANT This repository is designed for learning about vu...

IceWarp Mail Server 安全漏洞

IceWarp Mail Server is a mail server product from the Czech company IceWarp. The product supports email archiving, SmartAttach attachments, automatic migration and more. A security vulnerability exists in IceWarp Mail Server version 11.4.0, which originates from HTTP host header injection and cou...

CVE-2025-4123

A flaw was found in Grafana's custom frontend plugin handling. This vulnerability allows an attacker to perform a cross-site scripting XSS attack by exploiting a client path traversal and an open redirect issue, leading to arbitrary JavaScript execution and potential user redirection to malicious...

PT-2025-21264 · WordPress · Advanced-File-Manager-Pro-Premium +1

Name of the Vulnerable Software and Affected Versions: File Manager Advanced Shortcode WordPress plugin versions up to, and including, 2.5.4 advanced-file-manager-pro-premium versions up to, and including, 2.5.6 Description: The issue allows authenticated attackers with Administrator-level access...

CVE-2024-45516

An issue was discovered in Zimbra Collaboration ZCS 9.0.0 before Patch 43, 10.0.x before 10.0.12, 10.1.x before 10.1.4, and 8.8.15 before Patch 47. A Cross-Site Scripting XSS vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session,...

CVE-2025-3909

Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in the file:/// context. By crafting a nested email attachment message/rfc822 and setting its content type to application/pdf, Thunderbird may incorrectly render it as HTML when opened,...

CVE-2025-3909

Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in the file:/// context. By crafting a nested email attachment message/rfc822 and setting its content type to application/pdf, Thunderbird may incorrectly render it as HTML when opened,...

CVE-2025-3909

Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in the file:/// context. By crafting a nested email attachment message/rfc822 and setting its content type to application/pdf, Thunderbird may incorrectly render it as HTML when opened,...

CVE-2025-3909 JavaScript Execution via Spoofed PDF Attachment and file:/// Link

Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in the file:/// context. By crafting a nested email attachment message/rfc822 and setting its content type to application/pdf, Thunderbird may incorrectly render it as HTML when opened,...