qt: Qt SVG: Arbitrary QML/JavaScript code injection via malicious SVG file

A flaw was found in the Qt SVG module and the VectorImage component in Qt Quick. This vulnerability allows a remote attacker to inject arbitrary QML/JavaScript code by tricking a user into loading a specially crafted malicious SVG file. Successful exploitation could lead to denial of service,...

CVE-2026-22678

Webmin before 2.641 contains a stored cross-site scripting vulnerability in the email template description field of the System and Server Status module that allows low-privileged authenticated attackers to execute arbitrary JavaScript in the browser context of administrators by injecting...

MAL-2026-4691 Malicious code in testnpmnmp (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e82942b1fcdaed1a1085ad9590ef93704e276c5c5ca1622884abac014f03980f package.json declares "preinstall": "./scripts/postbuild", where scripts/postbuild is a 976,568-byte unsigned, unhashed, unversioned Linux ELF...

SailingLab AppLock 安全漏洞

SailingLab AppLock is a mobile application privacy protection tool developed by SailingLab. It supports features such as app locking, PIN verification, and fingerprint unlocking. Version 4.3.8 of SailingLab AppLock contains a security vulnerability. This vulnerability stems from the...

CVE-2025-68709

SailingLab AppLock (com.alpha.applock) Android app, version 4.3.8, is affected. The vulnerability arises in BrowserMainActivity, which accepts VIEW intents with javascript: URIs, allowing local attackers to trigger arbitrary JavaScript execution. This unsafe navigation path can lead to UI spoofin...

SUSE SLES12 Security Update : MozillaFirefox (SUSE-SU-2026:2039-1)

The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2039-1 advisory. This update for MozillaFirefox fixes the following issue Update to Firefox Extended Support Release 140.11.0 ESR MFSA 2026-48 bsc1265212 -...

Prometheus 跨站脚本漏洞

Prometheus is an open-source software developed in the Go language, used to create real-time metric databases built using the HTTP pull model. Versions of Prometheus from 2.49.0 to 3.5.3, as well as versions before 3.11.3, had a cross-site scripting vulnerability. This vulnerability stemmed from...

CVE-2025-68709

SailingLab AppLock aka com.alpha.applock 4.3.8 for Android allows a local attacker to trigger arbitrary JavaScript execution via BrowserMainActivity, which accepts VIEW intents with javascript: URIs. This unsafe navigation path results in script execution and may allow UI spoofing or privilege...

CVE-2025-68709

SailingLab AppLock aka com.alpha.applock 4.3.8 for Android allows a local attacker to trigger arbitrary JavaScript execution via BrowserMainActivity, which accepts VIEW intents with javascript: URIs. This unsafe navigation path results in script execution and may allow UI spoofing or privilege...

PT-2026-43381

SailingLab AppLock aka com.alpha.applock 4.3.8 for Android allows a local attacker to trigger arbitrary JavaScript execution via BrowserMainActivity, which accepts VIEW intents with javascript: URIs. This unsafe navigation path results in script execution and may allow UI spoofing or privilege...

Babel 安全漏洞

Babel is a JavaScript compiler developed by Babel OpenSource. Versions of Babel from 7.12.0 to 7.29.4, as well as 8.0.0-alpha.13, have security vulnerabilities. These vulnerabilities stem from the possibility of generating outputs that can execute arbitrary code during the compilation of speciall...

CVE-2025-68709

SailingLab AppLock aka com.alpha.applock 4.3.8 for Android allows a local attacker to trigger arbitrary JavaScript execution via BrowserMainActivity, which accepts VIEW intents with javascript: URIs. This unsafe navigation path results in script execution and may allow UI spoofing or privilege...

Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks

Threat actors are exploiting a recently disclosed critical security flaw in Ghost CMS to inject malicious JavaScript code with an aim to fuel ClickFix attacks. According to QiAnXin XLab, the activity involves the exploitation of CVE-2026-26980 CVSS score: 9.4, an SQL injection vulnerability in...

[SECURITY] Fedora 44 Update: nodejs-aw-webui-0^20260516.8d9a7f8-1.fc44

A web-based UI for ActivityWatch, built with Vue.js...

Malicious code in cxpher-linux-arm32 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cd6c14d2899b638880b25bf1c35973ed1c9cf6fcb99331447e3da7c2478124c7 The package's main is an ARM ELF binary that, when loaded, mkdtemp's a working directory under /dev/shm/.cxpher.XXXXXX or /tmp/.cxpher.XXXXXX, writes...

MAL-2026-4547 Malicious code in cxpher-linux-arm32 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cd6c14d2899b638880b25bf1c35973ed1c9cf6fcb99331447e3da7c2478124c7 The package's main is an ARM ELF binary that, when loaded, mkdtemp's a working directory under /dev/shm/.cxpher.XXXXXX or /tmp/.cxpher.XXXXXX, writes...

NGINX JavaScript vulnerability

...

Cross-site Scripting (XSS)

phpMyFAQ is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper escaping of malformed URLs in Utils::parseUrl, which allows an attacker to inject malicious JavaScript through comments and steal admin session cookies when affected pages are viewed...

Remote Code Execution (RCE)

@penpot/mcp is vulnerable to Remote Code Execution RCE. The vulnerability is due to an unauthenticated /execute endpoint exposed on all network interfaces, which allows an attacker to remotely execute arbitrary JavaScript code on the server...

Malicious code in dev-env-bootstrapper (npm)

Ten packages published by npm user asdxzxc at version 1.0.10 target developers working on AI and LLM tooling. Each package masquerades as a developer utility while executing a two-stage payload triggered via postinstall: package.json → lib/setup.js → lib/worker.js. Credential harvesting:...