58906 matches found
CVE-2026-39842
OpenRemote is an open-source IoT platform. Versions 1.21.0 and below contain two interrelated expression injection vulnerabilities in the rules engine that allow arbitrary code execution on the server. The JavaScript rules engine executes user-supplied scripts via Nashorn's ScriptEngine.eval...
USN-8181-1 libowasp-esapi-java vulnerabilities
Jaroslav Lobačevski discovered that ESAPI incorrectly validated directory paths during path verification. An attacker could possibly use this issue to bypass directory validation checks, leading to control-flow bypass. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS,...
firefox: thunderbird: Use-after-free in the JavaScript Engine component
A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: Use-after-free in the JavaScript Engine component...
firefox: thunderbird: Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component
A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component...
firefox: thunderbird: JIT miscompilation in the JavaScript Engine component
A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: JIT miscompilation in the JavaScript Engine component...
firefox: thunderbird: JIT miscompilation in the JavaScript Engine: JIT component
A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: JIT miscompilation in the JavaScript Engine: JIT component...
CVE-2026-34212
Docmost is open-source collaborative wiki and documentation software. In versions prior to 0.71.0, improper neutralization of attachment URLs in Docmost allows a low-privileged authenticated user to store a malicious javascript: URL inside an attachment node in page content. When another user vie...
LangSmith SDK: Streaming token events bypass output redaction
Summary The LangSmith SDK's output redaction controls hideOutputs in JS, hideoutputs in Python do not apply to streaming token events. When an LLM run produces streaming output, each chunk is recorded as a newtoken event containing the raw token value. These events bypass the redaction pipeline...
Cross-site Scripting (XSS)
Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Cross-site Scripting XSS via the jsxAttr and JSX attribute rendering paths in src/jsx/jsx-runtime.ts, src/jsx/base.ts, and src/jsx/dom/render.ts. An attacker can inject executable markup ...
SiYuan 安全漏洞
SiYuan is an open-source personal knowledge management system developed by SiYuan. Versions of SiYuan 3.6.3 and earlier contained security vulnerabilities. These vulnerabilities stemmed from the /api/av/removeUnusedAttributeView endpoint, which used a user-controlled id parameter to construct fil...
PT-2026-34593
Name of the Vulnerable Software and Affected Versions LangSmith JavaScript SDK versions prior to 0.5.19 LangSmith Python SDK versions prior to 0.7.31 Description Output redaction controls do not apply to streaming token events. When a Large Language Model run produces streaming output, each chunk...
PT-2026-33374
Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.6.4 Description Mermaid diagrams are rendered with the securityLevel set to "loose", and the resulting SVG is injected into the DOM via innerHTML. This allows attacker-controlled javascript: URLs in Mermaid code bloc...
PT-2026-33384
Name of the Vulnerable Software and Affected Versions Math.js versions 13.1.1 through 15.1.x Description An issue in the expression parser allows the execution of arbitrary JavaScript. This occurs in applications where users are permitted to evaluate arbitrary expressions using the mathjs...
RHEL 9 : thunderbird (RHSA-2026:8287)
The remote Redhat Enterprise Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2026:8287 advisory. Mozilla Thunderbird is a standalone mail and newsgroup client. Security Fixes: firefox: thunderbird: Use-after-free in the JavaScript Engine...
AlmaLinux 8 : thunderbird (ALSA-2026:6917)
The remote AlmaLinux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ALSA-2026:6917 advisory. firefox: thunderbird: Use-after-free in the JavaScript Engine component CVE-2026-4701 firefox: thunderbird: Memory safety bugs fixed in Firefox ESR 115.34...
RHEL 7 : firefox (RHSA-2026:8427)
The remote Redhat Enterprise Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2026:8427 advisory. Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. Security Fixes: firefox:...
SiYuan 安全漏洞
SiYuan is an open-source privacy-oriented personal knowledge management system developed by SiYuan itself. Versions of SiYuan 3.6.3 and earlier contained security vulnerabilities. These vulnerabilities stemmed from Mermaid charts being rendered with a relaxed security level, and the generated SVG...
RHEL 10 : thunderbird (RHSA-2026:8315)
The remote Redhat Enterprise Linux 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2026:8315 advisory. Mozilla Thunderbird is a standalone mail and newsgroup client. Security Fixes: firefox: thunderbird: Use-after-free in the JavaScript Engin...
CVE-2026-40179
Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the Prometheus web UI where metric names and label values are injected into innerHTML without...
EUVD-2026-23092
Type Confusion in V8 in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. Chromium security severity: Medium...