Joern 4.0.524

Joern is the bug hunter's workbench. With this tool, you can uncover attack surface, sloppy coding practices, and variants of known vulnerabilities using an interactive code analysis shell. Joern supports C, C++, LLVM bitcode, x86 binaries via Ghidra, JVM bytecode via Soot, and Javascript...

UBUNTU-CVE-2026-41242

protobufjs compiles protobuf definitions into JavaScript JS function...

Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability

Synacor Zimbra Collaboration Suite ZCS contains a cross-site scripting vulnerability that could allow attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information...

CVE-2026-41242

protobufjs compiles protobuf definitions into JavaScript JS functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the...

CVE-protobufjs-GHSA-xq3m-2v4x-88gg

GHSA-xq3m-2v4x-88gg: protobuf.js Remote Code Execution Critic...

GHSA-W9R4-94FJ-XP69 Apache Airflow Exposes Secrets in Variables Saved as JSON Dictionaries

Secrets in Variables saved as JSON dictionaries were not properly redacted - in case the variables were retrieved by the user the secrets stored as nested fields were not masked. If developers do not store variables with sensitive values in JSON form, their projects are not affected. Otherwise...

PYSEC-2026-19

Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked.If you do not store variables with sensitive values in JSON form, you are not affected. Otherwise please upgrade to...

CVE-2026-32690 Apache Airflow: 3.x - Nested Variable Secret Values Bypass Redaction via max_depth=1

Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked. If you do not store variables with sensitive values in JSON form, you are not affected. Otherwise please upgrade to...

Wger Has Stored XSS Via Unescaped License Attribution Fields

Stored XSS via Unescaped License Attribution Fields Summary The "AbstractLicenseModel.attributionlink" property in "wger/utils/models.py" constructs HTML strings by directly interpolating user-controlled fields "licenseauthor", "licensetitle", "licenseobjecturl", "licenseauthorurl",...

Cross-site Scripting (XSS)

Overview pretalx is a Conference organisation: CfPs, scheduling, much more Affected versions of this package are vulnerable to Cross-site Scripting XSS in the organizer search. An attacker can execute arbitrary JavaScript code in the context of an organizer's browser by injecting malicious payloa...

Apache Airflow 安全漏洞

Apache Airflow is an open-source platform developed by the Apache Foundation in the United States. It allows for the creation, management, and monitoring of workflows. This platform features scalability and dynamic monitoring capabilities. Prior to Apache Airflow 3.2.0, there were security...

PT-2026-34723

Name of the Vulnerable Software and Affected Versions pretalx versions prior to 2026.1.0 Description The organiser search in the backend renders submission titles, speaker display names, and user names or emails into the result dropdown using innerHTML string interpolation. This allows a user who...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the GitHub OAuth callback handler when the refreshInterval query parameter is embedded verbatim into an error message and rendered unescaped into HTML. An attacker can execute arbitrary JavaScript in the...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the GitHub OAuth callback handler when the refreshInterval query parameter is embedded verbatim into an error message and rendered unescaped into HTML. An attacker can execute arbitrary JavaScript in the...

CVE-2026-40353 wger: Stored XSS via Unescaped License Attribution Fields

wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the attributionlink property in AbstractLicenseModel constructs HTML by directly interpolating user-controlled license fields such as licenseauthor without escaping, and templates render the result using Django's...

CVE-2026-40283 WeGIA has stored XSS in profile_paciente.php

WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting XSS vulnerability allows an authenticated user to inject malicious JavaScript via the "Nome" field in the "Informações Pacientes" page. The payload is stored and executed when the patien...

CVE-2026-40283

WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting XSS vulnerability allows an authenticated user to inject malicious JavaScript via the "Nome" field in the "Informações Pacientes" page. The payload is stored and executed when the patien...

EUVD-2025-209471

A Stored Cross-Site Scripting vulnerability was discovered in the Assets and Nodes functionality due to improper validation of an input parameter. An authenticated user with custom fields privileges can define a malicious custom field containing a JavaScript payload. When the victim views the...

EUVD-2026-22836

Versions of the package github.com/yuin/goldmark/renderer/html before 1.7.17 are vulnerable to Cross-site Scripting XSS due to improper ordering of URL validation and normalization. The renderer validates link destinations using a prefix-based check IsDangerousURL before resolving HTML entities...

Chromium: CVE-2026-6363 Type Confusion in V8

This CVE was assigned by Chrome. Microsoft Edge Chromium-based ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information...