CVE-2026-37980

CVE-2026-37980 affects Keycloak, specifically the organization selection login page. The vulnerability arises because the organization.alias is inserted into an inline JavaScript onclick handler, enabling a remote attacker with manage-realm or manage-organizations privileges to trigger a Stored X...

CVE-2026-37980

A flaw was found in Keycloak, specifically in the organization selection login page. A remote attacker with manage-realm or manage-organizations administrative privileges can exploit a Stored Cross-Site Scripting XSS vulnerability. This flaw occurs because the organization.alias is placed into an...

CVE-2026-37980 Org.keycloak.forms.login: keycloak: keycloak: arbitrary code execution via stored cross-site scripting (xss) in organization selection login page

A flaw was found in Keycloak, specifically in the organization selection login page. A remote attacker with manage-realm or manage-organizations administrative privileges can exploit a Stored Cross-Site Scripting XSS vulnerability. This flaw occurs because the organization.alias is placed into an...

[R3] Tenable Identity Exposure Version 3.77.17 Fixes Multiple Vulnerabilities

R3 Tenable Identity Exposure Version 3.77.17 Fixes Multiple Vulnerabilities Aaron Roy Tue, 04/14/2026 - 10:54 Tenable Identity Exposure leverages third-party software to help provide underlying functionality. Several of the third-party components .NET Windows Server Hosting, NodeJS, Erlang OTP, S...

CVE-2026-37980

A flaw was found in Keycloak, specifically in the organization selection login page. A remote attacker with manage-realm or manage-organizations administrative privileges can exploit a Stored Cross-Site Scripting XSS vulnerability. This flaw occurs because the organization.alias is placed into an...

darksword-Exploit

🗡️ DarkSword — iOS Full-Chain Exploit Analysis Reference:...

SUSE CVE-2025-1015

The Thunderbird Address Book URI fields contained unsanitized links. This could be used by an attacker to create and export an address book containing a malicious payload in a field. For example, in the “Other” field of the Instant Messaging section. If another user imported the address book,...

CVE-2026-4388

The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Matrix field Text Box input type in form submissions in all versions up to, and including, 1.15.40. This is due to insufficient input sanitization sanitizetextfield strips tags but not quotes and...

coruna-exploit-kit-analysis

Coruna iOS Exploit Kit — Reverse Engineering Analysis Def...

CVE-2026-39422

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting XSS vulnerability through the application name or icon fields when creating an application. When a victim visits the public chat interface /ui/chat/accesstoken, the...

EUVD-2026-22122

A security flaw has been discovered in nocobase plugin-workflow-javascript up to 2.0.23. This issue affects the function createSafeConsole of the file packages/plugins/@nocobase/plugin-workflow-javascript/src/server/Vm.js. Performing a manipulation results in sandbox issue. The attack can be...

DEBIAN-CVE-2026-33948

jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows validation bypass via embedded NUL bytes. When reading JSON from files or stdin, jq uses strlen to determine buffer length instead of the actual byte...

CVE-2026-27683

SAP BusinessObjects Business Intelligence application allows an authenticated attacker to inject malicious JavaScript payloads through crafted URLs. When a victim accesses the URL, the script executes in the user�s browser, potentially exposing restricted information. This results in a low impact...

EUVD-2026-22156

SAP BusinessObjects Business Intelligence application allows an authenticated attacker to inject malicious JavaScript payloads through crafted URLs. When a victim accesses the URL, the script executes in the user�s browser, potentially exposing restricted information. This results in a low impact...

CVE-2026-27683 Reflected cross site scripting vulnerability in SAP BusinessObjects Business Intelligence Platform

SAP BusinessObjects Business Intelligence application allows an authenticated attacker to inject malicious JavaScript payloads through crafted URLs. When a victim accesses the URL, the script executes in the user�s browser, potentially exposing restricted information. This results in a low impact...

CVE-2026-27683

SAP BusinessObjects Business Intelligence application allows an authenticated attacker to inject malicious JavaScript payloads through crafted URLs. When a victim accesses the URL, the script executes in the user�s browser, potentially exposing restricted information. This results in a low impact...

CVE-2025-69993

Leaflet versions up to and including 1.9.4 are vulnerable to Cross-Site Scripting XSS via the bindPopup method. This method renders user-supplied input as raw HTML without sanitization, allowing attackers to inject arbitrary JavaScript code through event handler attributes e.g., . When a victim...

PT-2026-32628

Leaflet versions up to and including 1.9.4 are vulnerable to Cross-Site Scripting XSS via the bindPopup method. This method renders user-supplied input as raw HTML without sanitization, allowing attackers to inject arbitrary JavaScript code through event handler attributes e.g., . When a victim...

PT-2026-32656

alandsilva26 hotel-management-php 1.0 is vulnerable to Cross Site Scripting XSS in /public/admin/edit room.php which allows an attacker to inject and execute arbitrary JavaScript via the room id GET parameter...

PT-2026-32917

Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, a Stored Cross-Site Scripting XSS vulnerability exists in the social post attachment upload functionality, where an authenticated user can upload a malicious HTML file containing JavaScript via the...