PHP: PHP-FPM: PHP-FPM: Cross-Site Scripting vulnerability via improper URL sanitation

A flaw was found in PHP, specifically within the PHP-FPM status page. Due to improper sanitation of user data, a remote attacker can craft a malicious URL. When a user views the PHP-FPM status page with this crafted URL, it can lead to the execution of arbitrary JavaScript code Cross-Site Scripti...

CVE-2026-43984

CVE-2026-43984 affects Tautulli (Python-based Plex monitoring) prior to version 2.17.1. An authenticated user, including guests when guest access is enabled, can abuse an endpoint that writes attacker-controlled strings into the main application log. The log viewer then embeds the log contents in...

EUVD-2026-34284

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose logjserrors to any authenticated user, including guest users when guest access is enabled. The endpoint writes attacker-controlled strings directly into the main application log. The...

CVE-2026-43984 Tautulli has stored XSS in logFile via guest-controlled log_js_errors input

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose logjserrors to any authenticated user, including guest users when guest access is enabled. The endpoint writes attacker-controlled strings directly into the main application log. The...

CVE-2019-25731

Zuz Music 2.1 contains a persistent cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious JavaScript by submitting crafted contact form data. Attackers can inject script code through the name, subject, and message parameters in POST requests to...

CVE-2019-25731 Zuz Music 2.1 Persistent Cross-site Scripting via zuzconsole Contact

Zuz Music 2.1 contains a persistent cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious JavaScript by submitting crafted contact form data. Attackers can inject script code through the name, subject, and message parameters in POST requests to...

RLSA-2026:21380 Important: firefox security update

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. Security Fixes: firefox: Incorrect boundary conditions in the JavaScript Engine: JIT component CVE-2026-8388 firefox: Other issue in the JavaScript Engine component CVE-2026-8391 firefo...

firefox security update

An update is available for firefox. This update affects Rocky Linux 10. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Mozilla Firefox is an open-source web browser, designed for standards...

CVE-2025-52611

HCL iControl v4.0.0 was affected by Unhandled Exception - Stack Trace Disclosure vulnerability. The error occurs due to an undefined property being accessed in the application's JavaScript code. Specifically, the code attempts to read the property dashboard key from an object that is undefined...

ROOT-APP-NPM-CVE-2023-26133 CVE-2023-26133 in @rootio/progressbar.js - Patched by Root

Root has patched CVE-2023-26133 in the @rootio/progressbar.js package for Root:npm. Multiple fixed versions available...

Cross-site Scripting

TinyMCE is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper SVG namespace scope handling in the sanitizer, where crafted nested SVG elements can bypass attribute sanitization and execute arbitrary JavaScript, resulting in cross-site scripting attacks...

Security Bulletin: Due to use of js-yaml-4.1.0.tgz, IBM Sterling Connect:Direct Web Services is affected by modify the prototype of the result of a parsed yaml.

Summary js-yaml-4.1.0.tgz is used by IBM Sterling Connect:Direct Web Services CVE-2025-64718. Vulnerability Details CVEID:CVE-2025-64718 DESCRIPTION: js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the...

RockyLinux 10 : .NET 8.0 (RLSA-2026:21286)

The remote RockyLinux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:21286 advisory. serialize-javascript: serialize-javascript: Denial of Service via specially crafted array-like object serialization CVE-2026-34043 dotnet: .NET: infini...

PT-2026-46847

Description This report describes an open redirect in Shopware's public SSO entry point at GET /api/oauth/sso/auth. When the endpoint is reached without the expected SSO session state, the application falls back to the request's Referer header and uses that value as the redirect destination. In t...

Ubuntu 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS : Template-Toolkit vulnerability (USN-8377-1)

The remote Ubuntu 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS host has a package installed that is affected by a vulnerability as referenced in the USN-8377-1 advisory. It was discovered that Template-Toolkit did not properly escape single quotes in the htmlfilter function of Template::Plugin::HTML...

MiracleLinux 8 : dotnet8.0-8.0.127-1.el8_10.ML.1 (AXSA:2026-756:09)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2026-756:09 advisory. serialize-javascript: serialize-javascript: Denial of Service via specially crafted array-like object serialization CVE-2026-34043 dotnet: .NET:...

RockyLinux 10 : firefox (RLSA-2026:21380)

The remote RockyLinux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:21380 advisory. firefox: Incorrect boundary conditions in the JavaScript Engine: JIT component CVE-2026-8388 firefox: Other issue in the JavaScript Engine component...

CVE-2025-65640

The CVE-2025-65640 issue affects Arket Globe Document Intelligence 5.0.0.559 (Task in Progress / Recent page). It is a Cross Site Scripting (XSS) vulnerability caused by improper sanitization/escaping of user input in text fields when creating a new document, allowing injected JavaScript to run i...

PT-2026-46201

Name of the Vulnerable Software and Affected Versions Zuz Music version 2.1 Description A persistent cross-site scripting issue allows unauthenticated attackers to inject malicious JavaScript by submitting crafted contact form data. The injection occurs via the name, subject, and message paramete...

Joern 4.0.554

Joern is the bug hunter's workbench. With this tool, you can uncover attack surface, sloppy coding practices, and variants of known vulnerabilities using an interactive code analysis shell. Joern supports C, C++, LLVM bitcode, x86 binaries via Ghidra, JVM bytecode via Soot, and Javascript...