EUVD-2026-29049

ATutor is vulnerable to Reflected XSS in /install/install.php endpoint. An attacker can provide a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. Product is no longer actively supported. Maintainers of this project were notified early...

EUVD-2026-29047

Path traversal vulnerability exists in GROWI v7.5.0 and earlier, which may allow an attacker to execute arbitrary EJS templates on the server when an email server is running in GROWI...

CVE-2026-6956

ATutor is vulnerable to Reflected XSS in /install/install.php endpoint. An attacker can provide a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. Product is no longer actively supported. Maintainers of this project were notified early...

CVE-2026-6956 Reflected XSS in ATutor

ATutor is vulnerable to Reflected XSS in /install/install.php endpoint. An attacker can provide a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. Product is no longer actively supported. Maintainers of this project were notified early...

CVE-2026-6956

ATutor is vulnerable to a Reflected XSS in the /install/install.php endpoint. An attacker can supply a crafted URL that, when opened, causes arbitrary JavaScript execution in the victim’s browser. The issue has been tested only on version 2.2.4; other versions were not tested but might also be vu...

CVE-2026-6909

ATutor is vulnerable to Reflected XSS in /install/upgrade.php endpoint. An attacker can provide a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. Product is no longer actively supported. Maintainers of this project were notified early...

CVE-2026-41951

The vulnerability CVE-2026-41951 affects GROWI up to v7.5.0, where a path traversal flaw could let an attacker cause the server to execute arbitrary EJS templates when an email server is running. The issue is documented in multiple sources (NVD/CVE entries) with CVSS v3.0/4.0 base scores of 7.2/8...

CVE-2026-41951

Path traversal vulnerability exists in GROWI v7.5.0 and earlier, which may allow an attacker to execute arbitrary EJS templates on the server when an email server is running in GROWI...

CVE-2026-41951

Path traversal vulnerability exists in GROWI v7.5.0 and earlier, which may allow an attacker to execute arbitrary EJS templates on the server when an email server is running in GROWI...

firefox: thunderbird: Invalid pointer in the JavaScript: WebAssembly component

A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: Invalid pointer in the JavaScript: WebAssembly component...

firefox: thunderbird: Use-after-free in the JavaScript Engine component

A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: Use-after-free in the JavaScript Engine component...

Official Clerk JavaScript SDKs 代码问题漏洞

The Official Clerk JavaScript SDKs are an open-source repository for Clerk authentication purposes. These SDKs have code vulnerabilities that can lead to false positives during authorization checks. This occurs when functions like has and auth.protect, along with related authorization predicates,...

Link Preview JS 代码问题漏洞

Link Preview JS is an open-source tool developed by op-engineering for extracting information about web links. Versions of Link Preview JS prior to 4.0.1 contained code vulnerabilities. These vulnerabilities stemmed from the library’s failure to detect IPv6 loop attacks, and DNS attacks that coul...

PT-2026-39892

Name of the Vulnerable Software and Affected Versions SandboxJS versions prior to 0.9.6 Description Sandbox-defined functions expose the Function.caller property, which allows sandboxed code to recover the internal LispType.Call runtime callback. An attacker can invoke this callback using forged...

CVE-2025-61306

The CVE-2025-61306 vulnerability is a reflected XSS in the dfm-menu_coveragealerts.php component of GmbH Mecury Managed Print Services (docuForm) v11.11c. The issue arises from injecting a crafted payload into an unfiltered variable value, allowing an attacker to execute arbitrary JavaScript in a...

CVE-2025-61310

A reflected cross-site scripted XSS vulnerability in the acc-menubillings.php component of GmbH Mecury Managed Print Services docuForm v11.11c allows attackers to execute arbitrary Javascript in the context of a user's browser via injecting a crafted payload into an unfiltered variable value...

CVE-2025-61308

CVE-2025-61308 describes a reflected XSS in the dfm-menu_maintenance.php component of GmbH Mecury Managed Print Services (docuForm) v11.11c. The underlying issue is an unfiltered variable value that allows attackers to inject arbitrary JavaScript, executed in a user’s browser context. The CVSS 3....

ATutor 跨站脚本漏洞

ATutor is a set of open-source web-based Learning Content Management Systems LCMS developed by the Atutor team. This system includes modules for teaching content management, forums, chat rooms, etc. Version 2.2.4 of ATutor has a cross-site scripting vulnerability. This vulnerability stems from th...

GROWI 路径遍历漏洞

GROWI is an enterprise-level open-source knowledge base/Wiki system built using Node.js and React by GROWI Inc. GROWI versions 7.5.0 and earlier have a path traversal vulnerability. This vulnerability allows attackers to execute arbitrary EJS templates on the server...

📄 Car Rental Script 4.0 Cross Site Scripting

Car Rental Script version 4.0 suffers from a cross site scripting vulnerability. Titles: Car-Rental-Script4.0-XSS-Reflected Cross-site scripting reflected Author: nu11secur1ty Date: 05/08/2026 Vendor: https://www.phpjabbers.com/ Software: https://www.phpjabbers.com/car-rental-script/ Reference:...