MGASA-2026-0166 Updated perl-Template-Toolkit packages fix security vulnerability

Template::Plugin::HTML versions through 3.102 for Perl allows HTML and JavaScript to be injected. CVE-2026-5090...

RockyLinux 9 : firefox (RLSA-2026:21378)

The remote RockyLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:21378 advisory. firefox: Incorrect boundary conditions in the JavaScript Engine: JIT component CVE-2026-8388 firefox: Other issue in the JavaScript Engine component...

RockyLinux 9 : .NET 8.0 (RLSA-2026:21293)

The remote RockyLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:21293 advisory. serialize-javascript: serialize-javascript: Denial of Service via specially crafted array-like object serialization CVE-2026-34043 dotnet: .NET: infinit...

Chromium: CVE-2026-10022 Type Confusion in V8

This CVE was assigned by Chrome. Microsoft Edge Chromium-based ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information...

Chromium: CVE-2026-9938 Inappropriate implementation in V8

This CVE was assigned by Chrome. Microsoft Edge Chromium-based ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information...

CVE-2026-45627

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, the unauthenticated GET /api/app-images/logo endpoint reflects a user-supplied color query parameter into the body of an SVG document via strings.ReplaceAll with no escaping. The substitution...

Improper Control of Dynamically-Managed Code Resources

Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Improper Control of Dynamically-Managed Code Resources through the WebAssembly.promising and WebAssembly.Suspending JSPI APIs in...

vm2 sandbox escape via JSPI-backed Promise `.finally()` species bypass

Summary A sandbox escape vulnerability in vm2 allows arbitrary code execution in the host process when untrusted code is executed with async support on runtimes exposing WebAssembly JSPI WebAssembly.promising / WebAssembly.Suspending. In the tested configuration, a JSPI-backed Promise can reach...

CVE-2018-25384 Wikidforum 2.20 Cross-Site Scripting via reply_text Parameter

Wikidforum 2.20 contains a cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted HTML in the replytext parameter. Attackers can post comments containing JavaScript code through the rpc.php endpoint that executes in other users'...

CVE-2026-44698

Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.4.1 for iOS and 2026.4.4 for Android, he Home Assistant Companion apps for Android and iOS expose a JavaScript bridge to the in-app WebView window.externalApp on Android and...

CVE-2026-44698 Home Assistant: Cross-origin iframe access token exfiltration via WebView JS bridge callback injection

Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.4.1 for iOS and 2026.4.4 for Android, he Home Assistant Companion apps for Android and iOS expose a JavaScript bridge to the in-app WebView window.externalApp on Android and...

CVE-2026-44698

CVE-2026-44698 affects the Home Assistant Companion apps for Android and iOS, where a JavaScript bridge exposed to in-app WebView could be reached by all frames. The root cause is the bridge exposure along with unsanitized interpolation of the JavaScript callback identifier, allowing a cross-orig...

EUVD-2026-33317

Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.4.1 for iOS and 2026.4.4 for Android, he Home Assistant Companion apps for Android and iOS expose a JavaScript bridge to the in-app WebView window.externalApp on Android and...

CVE-2026-44698

Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.4.1 for iOS and 2026.4.4 for Android, he Home Assistant Companion apps for Android and iOS expose a JavaScript bridge to the in-app WebView window.externalApp on Android and...

CVE-2026-45580

WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a stored cross-site scripting vulnerability. The Live plugin's "YouTube-style" view renders the live transmission's stream key into an HTML class attribute by raw echo, without htmlspecialchars. A canStream user can persi...

EUVD-2026-33311

WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a stored cross-site scripting vulnerability. The Live plugin's "YouTube-style" view renders the live transmission's stream key into an HTML class attribute by raw echo, without htmlspecialchars. A canStream user can persi...

CVE-2026-10057

ITS Intelligent SCADA System developed by ITP Technology has a Stored Cross-Site Scripting vulnerability, allowing privileged remote attackers to inject persistent JavaScript codes that are executed in users' browsers upon page load...

CVE-2026-10058

ITS Intelligent SCADA System developed by ITP Technology has a Stored Cross-Site Scripting vulnerability, allowing privileged remote attackers to inject persistent JavaScript codes that are executed in users' browsers upon page load...

CVE-2026-10058

ITS Intelligent SCADA System developed by ITP Technology has a Stored Cross-Site Scripting vulnerability, allowing privileged remote attackers to inject persistent JavaScript codes that are executed in users' browsers upon page load...

EUVD-2026-33268

ITS Intelligent SCADA System developed by ITP Technology has a Stored Cross-Site Scripting vulnerability, allowing privileged remote attackers to inject persistent JavaScript codes that are executed in users' browsers upon page load...