Linux Distros Unpatched Vulnerability : CVE-2026-8336

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - After invoking $internalJsEmit, which is not intended to be directly accessible, or mapreduce command's map function in a certain way, an authenticated user can...

Linux Distros Unpatched Vulnerability : CVE-2026-8388

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Incorrect boundary conditions in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 150.0.3, Firefox ESR 115.36, Firefox ESR 140.11,...

PT-2026-41153

Summary A stored cross-site scripting vulnerability was identified in the image widget functionality. A user with the Editor role can configure an image widget link to use a javascript: URL payload. Because editors have permission to publish pages, the malicious widget can be published to the liv...

PT-2026-41019

Live Helper Chat is an open-source application that enables live support websites. In 4.84v, the Live Helper Chat REST API chat update endpoint allows a REST user with lhchat/use to update a chat in a department they cannot read. The endpoint accepts arbitrary chat object fields, so the user can...

Linux Distros Unpatched Vulnerability : CVE-2026-8389

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 150.0.3. CVE-2026-8389 Note that Nessus relies on the presen...

PT-2026-41176

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.6.31 Description A Cross-Site Scripting issue exists in the SVG renderer implementation. This allows the permanent storage of HTML or JavaScript code within the application, which is then executed in the context ...

WEBCON BPS 跨站脚本漏洞

WEBCON BPS is a low-code business process management and workflow automation platform developed by the Polish company WEBCON. Versions of WEBCON BPS prior to 2026.1.3.109 and 2025.2.1.293 contained a cross-site scripting vulnerability. This vulnerability stemmed from reflective cross-site scripti...

PT-2026-40849

The Envira Gallery Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in versions up to and including 1.12.4. This is due to insufficient input sanitization in the update gallery data function and improper output escaping in the gallery init function. The...

PT-2026-40947

Open OnDemand is an open-source high-performance computing portal. Prior to 4.0.11, 4.1.5, and 4.2.2, specially crafted filenames can execute javascript in the file browser This vulnerability is fixed in 4.0.11, 4.1.5, and 4.2.2...

Amazon Linux 2 : thunderbird, --advisory ALAS2-2026-3290 (ALAS-2026-3290)

The version of thunderbird installed on the remote host is prior to 140.10.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3290 advisory. Double-Free / Use-After-Free UAF in the IntoIter::drop and ThinVec::clear functions in the thinvec crate. A panic i...

RHEL 9 : firefox (RHSA-2026:17687)

The remote Redhat Enterprise Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2026:17687 advisory. Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. Security Fixes: firefox:...

PT-2026-40872

Name of the Vulnerable Software and Affected Versions GitLab EE versions 18.7 through 18.9.6 GitLab EE versions 18.10 through 18.10.5 GitLab EE versions 18.11 through 18.11.2 Description An issue exists where improper input sanitization allows an authenticated user to execute arbitrary JavaScript...

Important: firefox

Issue Overview: Double-Free / Use-After-Free UAF in the IntoIter::drop and ThinVec::clear functions in the thinvec crate. A panic in ptr::dropinplace skips setting the length to zero. CVE-2026-6654 Use-after-free in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150,...

RHEL 9 : firefox (RHSA-2026:17688)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:17688 advisory. Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. Security Fixes: firefox:...

Important: thunderbird

Issue Overview: Double-Free / Use-After-Free UAF in the IntoIter::drop and ThinVec::clear functions in the thinvec crate. A panic in ptr::dropinplace skips setting the length to zero. CVE-2026-6654 Use-after-free in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150,...

PT-2026-40878

Name of the Vulnerable Software and Affected Versions GitLab EE versions 16.4 through 18.9.6 GitLab EE versions 18.10 through 18.10.5 GitLab EE versions 18.11 through 18.11.2 Description Improper input sanitization allows an authenticated user with developer-role permissions to execute arbitrary...

PT-2026-40852

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 15.11 through 18.9.6 GitLab CE/EE versions 18.10 through 18.10.5 GitLab CE/EE versions 18.11 through 18.11.2 Description An issue exists where improper input sanitization allows an authenticated user to inject HTML and...

VulnCheck KEV: CVE-2026-47100

Funnel Builder for WooCommerce Checkout prior to 3.15.0.3 contains a missing authorization vulnerability in the public checkout endpoint that allows unauthenticated attackers to invoke internal methods and write arbitrary data to the plugin's External Scripts global setting. Attackers can inject...

RHEL 10 : firefox (RHSA-2026:17690)

The remote Redhat Enterprise Linux 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2026:17690 advisory. Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. Security Fixes: firefox:...

RHEL 8 : firefox (RHSA-2026:17477)

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2026:17477 advisory. Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. Security Fixes: firefox:...