CI4MS 安全漏洞

CI4MS is an open-source blog page management tool developed by Ci4MS. Versions of CI4MS prior to 0.31.4.0 contained security vulnerabilities. These vulnerabilities stemmed from the improper storage and rendering of blacklist remark parameters into HTML attributes, potentially allowing...

Google Chrome < 147.0.7727.55 Multiple Vulnerabilities

The version of Google Chrome installed on the remote macOS host is prior to 147.0.7727.55. It is, therefore, affected by multiple vulnerabilities as referenced in the 202604stable-channel-update-for-desktop advisory. - Use after free in V8 in Google Chrome prior to 147.0.7727.55 allowed an attack...

GitLab 18.2 < 18.8.9 / 18.9 < 18.9.5 / 18.10 < 18.10.3 (CVE-2026-4332)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that, in customizable analytics dashboards, could have allowed ...

KLA91054 Multiple vulnerabilities in Opera

Multiple vulnerabilities were found in Opera. Malicious users can exploit these vulnerabilities to cause denial of service, execute arbitrary code. Below is a complete list of vulnerabilities: 1. Out of bounds read vulnerability in WebCodecs can be exploited to cause denial of service. 2. Use aft...

GO-2026-4865 JsBraceDepth Context Tracking Bugs (XSS) in html/template

Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being...

Important: Red Hat Security Advisory: thunderbird security update

An update for thunderbird is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability fr...

firefox: thunderbird: Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component

A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component...

firefox: thunderbird: JIT miscompilation in the JavaScript Engine component

A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: JIT miscompilation in the JavaScript Engine component...

firefox: thunderbird: Use-after-free in the JavaScript Engine component

A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: Use-after-free in the JavaScript Engine component...

firefox: thunderbird: JIT miscompilation in the JavaScript Engine: JIT component

A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: JIT miscompilation in the JavaScript Engine: JIT component...

CVE-2026-39400

Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, a non-admin user with createevents and runevents privileges can inject arbitrary JavaScript through job output fields html.content, html.title, table.header, table.rows, table.caption. The serve...

CVE-2026-32712

Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting XSS vulnerability exists in the Daily Sales management table. The customername column is configured with escape: false in the bootstrap-tabl...

EUVD-2026-19939

Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting XSS vulnerability exists in the Daily Sales management table. The customername column is configured with escape: false in the bootstrap-tabl...

EUVD-2026-19724

Emissary has Stored XSS via Navigation Template Link Injection...

Emissary has Stored XSS via Navigation Template Link Injection

Summary Mustache navigation templates interpolated configuration-controlled link values directly into href attributes without URL scheme validation. An administrator who could modify the navItems configuration could inject javascript: URIs, enabling stored cross-site scripting XSS against other...

GHSA-CPM7-CFPX-3HVP Emissary has Stored XSS via Navigation Template Link Injection

Summary Mustache navigation templates interpolated configuration-controlled link values directly into href attributes without URL scheme validation. An administrator who could modify the navItems configuration could inject javascript: URIs, enabling stored cross-site scripting XSS against other...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the rendering of Mustache navigation templates when user-controlled values are interpolated into the href attribute without proper URL scheme validation. An attacker can execute arbitrary JavaScript in the...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the rendering of Mustache navigation templates when user-controlled values are interpolated into the href attribute without proper URL scheme validation. An attacker can execute arbitrary JavaScript in the...

CVE-2026-39367

WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's EPG Electronic Program Guide feature parses XML from user-controlled URLs and renders programme titles directly into HTML without any sanitization or escaping. A user with upload permission can set a video's epglin...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the Add Account Group process on the account-group page. An attacker can execute arbitrary JavaScript in the context of users who view the affected page by injecting malicious scripts. Details Cross-site...