CVE-2025-58091

Multiple reflected cross-site scripting xss vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities.This...

CVE-2025-46270

A reflected cross-site scripting xss vulnerability exists in the fetchPriorStudies functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability...

CVE-2025-54778

A reflected cross-site scripting xss vulnerability exists in the existingUser functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability...

CVE-2025-55071

A reflected cross-site scripting xss vulnerability exists in the modifyAnonymize functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability...

CVE-2025-53707

A reflected cross-site scripting xss vulnerability exists in the modifyTranscript functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability...

CVE-2025-44000

A reflected cross-site scripting xss vulnerability exists in the sendOruReport functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability...

CVE-2025-53854

A reflected cross-site scripting xss vulnerability exists in the modifyHL7Route functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability...

firefox: thunderbird: Use-after-free in the JavaScript Engine component

A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: Use-after-free in the JavaScript Engine component...

Malicious code in qdrant-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1ad84f3d1657583a0a6fa9d58b06258298369ea5e4ee10ac0516c3f641b33871 The package qdrant-js was found to contain malicious code. Source: ghsa-malware 789e158c461e8c11f86da5b04f09dab1797536199084bf548efc2f3ee13b33f1 Any...

MAL-2026-434 Malicious code in weaviate-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c229f83d7066881287b7035e8e71dc5ed74531480ab19cbf47ebd72990bc1525 The package weaviate-js was found to contain malicious code. Source: ghsa-malware bb063c82675f5933564b46d7e49a2c2a7aac395d9a399b1264e3de0aafb29905 An...

Malicious code in babel-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8e9ff5d2308ea7b49b6fbf0f4e49dd88fe66d82523ae39b56d2c8ce3747e64c7 The package babel-js was found to contain malicious code. Source: ghsa-malware 971a7cbc4a8fb219a47c89b6aa15c980a6d562786f2800c575eb250f53e229e1 Any...

EUVD-2026-3720

Malicious code in nanoid-js npm...

GHSA-W836-5GPM-7R93 SiYuan has a Reflected Cross-Site Scripting (XSS) via /api/icon/getDynamicIcon

Summary Reflected XSS in /api/icon/getDynamicIcon due to unsanitized SVG input. Details The endpoint generates SVG images for text icons type=8. The content query parameter is inserted directly into the SVG tag without XML escaping. Since the response Content-Type is image/svg+xml, injecting...

PT-2026-3868

CVAT is an open source interactive video and image annotation tool for computer vision. In versions 2.2.0 through 2.54.0, an attacker is able to execute arbitrary JavaScript in a victim user's CVAT UI session, provided that they are able to create a maliciously crafted label in a CVAT task or...

CVAT.ai CVAT security vulnerability

CVAT.ai CVAT is an open-source data processing tool developed by CVAT.ai. Versions 2.2.0 to 2.54.0 of CVAT.ai contain security vulnerabilities. These vulnerabilities allow attackers to execute arbitrary JavaScript in the CVAT UI sessions of victim users, potentially enabling them to access all CV...

PT-2026-5442

Name of the Vulnerable Software and Affected Versions Orval versions 7.19.0 through 7.20.9 Orval versions 8.0.0 through 8.1.9 Description Orval, a tool that generates type-safe JavaScript clients from OpenAPI specifications, is affected by a code injection issue. The jsStringEscape function does...

Seroval code issue vulnerabilities

Seroval is a formatted Java library developed by Alexis H. Munsayac. Versions of Seroval 1.4.0 and earlier have code vulnerabilities caused by improper handling of JSON deserialization inputs, which may lead to arbitrary JavaScript code execution...

EUVD-2026-3658

The WorklogPRO - Timesheets for Jira plugin in Jira Data Center before version 4.23.6-jira10 and before version 4.23.5-jira9 allows users and attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability. The vulnerability is exploited via a specially crafted paylo...

CVE-2026-21636

A flaw in Node.js's permission model allows Unix Domain Socket UDS connections to bypass network restrictions when --permission is enabled. Even without --allow-net, attacker-controlled inputs such as URLs or socketPath options can connect to arbitrary local sockets via net, tls, or undici/fetch...

ALPINE-CVE-2025-55131

A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the vm module with the timeout option. Under specific timing conditions, buffers allocated with Buffer.alloc and other TypedArray instances like Uint8Array may contain leftover...