CVE-2026-3778

The application does not detect or guard against cyclic PDF object references while handling JavaScript in PDF. When pages and annotations are crafted that reference each other in a loop, passing the document to APIs e.g., SOAP that perform deep traversal can cause uncontrolled recursion, stack...

CVE-2026-3777 Use after free of view cache in Foxit PDF Editor/Reader

The application does not properly validate the lifetime and validity of internal view cache pointers after JavaScript changes the document zoom and page state. When a script modifies the zoom property and then triggers a page change, the original view object may be destroyed while stale pointers...

CVE-2026-3777

Summary: CVE-2026-3777 affects Foxit PDF Editor/Reader (multiple platforms). The vulnerability is a use-after-free caused by improper validation of lifetime/validity of internal view cache pointers after JavaScript alters document zoom and page state. When a script modifies zoom and triggers a pa...

CVE-2026-3777 Use after free of view cache in Foxit PDF Editor/Reader

The application does not properly validate the lifetime and validity of internal view cache pointers after JavaScript changes the document zoom and page state. When a script modifies the zoom property and then triggers a page change, the original view object may be destroyed while stale pointers...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the getDynamicIcon process. An attacker can execute arbitrary JavaScript in the context of the application by injecting namespace-prefixed SVG elements into the content parameter, which are not properly...

YesWiki has Multiple Reflected Cross-site Scripting Vulnerabilities

Summary Multiple reflected Cross-site Scripting XSS vulnerabilities across both authenticated and unauthenticated portions of the application. These findings present a significant security risk, as they can be leveraged to execute arbitrary JavaScript in a victim’s browser under various contexts...

GHSA-37FQ-47QJ-6J5J YesWiki has Persistent Blind XSS at "/?BazaR&vue=consulter"

Summary A stored and blind XSS vulnerability exists in the form title field. A malicious attacker can inject JavaScript without any authentication via a form title that is saved in the backend database. When any user visits that injected page, the JavaScript payload gets executed. Type: Stored an...

YesWiki has Persistent Blind XSS at "/?BazaR&vue=consulter"

Summary A stored and blind XSS vulnerability exists in the form title field. A malicious attacker can inject JavaScript without any authentication via a form title that is saved in the backend database. When any user visits that injected page, the JavaScript payload gets executed. Type: Stored an...

Foxit PDF Reader和Foxit PDF Editor 安全漏洞

Foxit PDF Reader and Foxit PDF Editor are products of Foxit Corporation, a Chinese company. Foxit PDF Reader is a PDF reader. Foxit PDF Editor is a PDF editor. Both Foxit PDF Reader and Foxit PDF Editor have security vulnerabilities. These vulnerabilities stem from JavaScript, which fails to...

PT-2026-29438

The application does not detect or guard against cyclic PDF object references while handling JavaScript in PDF. When pages and annotations are crafted that reference each other in a loop, passing the document to APIs e.g., SOAP that perform deep traversal can cause uncontrolled recursion, stack...

Foxit PDF Reader和Foxit PDF Editor 安全漏洞

Foxit PDF Reader and Foxit PDF Editor are products of Foxit Corporation, a Chinese company. Foxit PDF Reader is a PDF reader. Foxit PDF Editor is a PDF editor. Both Foxit PDF Reader and Foxit PDF Editor have security vulnerabilities. These vulnerabilities arise from failing to detect or prevent...

Official Clerk JavaScript SDKs 代码问题漏洞

The Official Clerk JavaScript SDKs are an open-source repository for Clerk authentication purposes. These SDKs have code-related vulnerabilities. The vulnerability stems from the clerkFrontendApiProxy function in @clerk/backend, which involves server-side request forgeing. This could allow...

PT-2026-29496

Summary A stored and blind XSS vulnerability exists in the form title field. A malicious attacker can inject JavaScript without any authentication via a form title that is saved in the backend database. When any user visits that injected page, the JavaScript payload gets executed. Type: Stored an...

PT-2026-29434

The application allows PDF JavaScript and document/print actions such as WillPrint/DidPrint to update form fields, annotations, or optional content groups OCGs immediately before or after redaction, encryption, or printing. These script‑driven updates are not fully covered by the existing...

Enhancing REST API Fuzzing with Access Policy Violation Checks and Injection Attacks

Due to their widespread use in industry, several techniques have been proposed in the literature to fuzz REST APIs. Existing fuzzers for REST APIs have been focusing on detecting crashes e.g., 500 HTTP server error status code. However, security vulnerabilities can have major drastic consequences...

RHEL 10 : thunderbird (RHSA-2026:6342)

The remote Redhat Enterprise Linux 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2026:6342 advisory. Mozilla Thunderbird is a standalone mail and newsgroup client. Security Fixes: firefox: thunderbird: Use-after-free in the JavaScript Engin...

MiracleLinux 8 : firefox-140.9.0-1.el8_10.ML.1 (AXSA:2026-373:06)

The remote MiracleLinux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2026-373:06 advisory. firefox: thunderbird: Use-after-free in the JavaScript Engine component CVE-2026-4701 firefox: thunderbird: Memory safety bugs fixed in Firefox ESR...

PT-2026-29628

Name of the Vulnerable Software and Affected Versions: CI4MS versions prior to 0.31.0.0 Description: The application does not properly sanitize user-controlled input when handling backup uploads and processing backup metadata. An attacker can inject a malicious JavaScript payload into the backup...

PT-2026-29518

A reflected cross-site scripting XSS vulnerability in the dashboard search functionality of the VertiGIS FM solution allows attackers to craft a malicious URL, that if visited by an authenticated victim, will execute arbitrary JavaScript in the victim's context. Such a URL could be delivered...

VertiGIS FM 安全漏洞

VertiGIS FM is a facility and asset management platform from VertiGIS Corporation. There is a security vulnerability in VertiGIS FM, which stems from a reflection-type cross-site scripting vulnerability in the dashboard search function. This vulnerability could allow attackers to create malicious...