Cross-site Scripting (XSS)

Overview jspdf is a PDF Document creation from JavaScript Affected versions of this package are vulnerable to Cross-site Scripting XSS in jspdf.js, when user-controlled values are passed to the options argument, then included unsanitized in the generated HTML and opened by another user. An attack...

jsPDF has a PDF Object Injection via FreeText color

Impact User control of arguments of the createAnnotation method allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to the following method, a user can inject arbitrary PDF objects, such as JavaScript actions, which might...

CVE-2026-4258

Affected software: sjcl (Stanford Javascript Crypto Library). Vulnerability: Improper verification of cryptographic signatures due to missing point-on-curve validation in sjcl.ecc.basicKey.publicKey(). This allows an attacker to recover a victim’s ECDH private key by sending crafted off-curve pub...

CVE-2026-4258

All versions of the package sjcl are vulnerable to Improper Verification of Cryptographic Signature due to missing point-on-curve validation in sjcl.ecc.basicKey.publicKey. An attacker can recover a victim's ECDH private key by sending crafted off-curve public keys and observing ECDH outputs. The...

MAL-2026-1490 Malicious code in ember-power-calendar-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 55191162c66f85fd90f4c2bb6354b569a7ab7cdc6a380289defcc8be784ed434 The package ember-power-calendar-utils was found to contain malicious code. Source: ghsa-malware...

PT-2026-26160

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.28 and 8.6.48, the password reset mechanism does not enforce single-use guarantees for reset tokens. When a user requests a password reset, the generated token can be...

PT-2026-25976

Name of the Vulnerable Software and Affected Versions jsPDF versions prior to 4.2.1 Description jsPDF is a JavaScript library used to generate PDF documents. A flaw exists where user-controlled arguments within the createAnnotation method can allow the injection of arbitrary PDF objects, includin...

DSA-6166-1 nodejs - security update

Bulletin has no description...

Admidio has an HTMLPurifier Bypass in eCard Message Allows HTML Email Injection

Summary The eCard send handler in Admidio uses the raw $POST'ecardmessage' value instead of the HTMLPurifier-sanitized $formValues'ecardmessage' when constructing the greeting card HTML. This allows an authenticated attacker to inject arbitrary HTML and JavaScript into greeting card emails sent t...

CVE-2026-32304

A flaw was found in Locutus, a JavaScript library that provides standard library functions. The createfunction function in Locutus passes user-supplied arguments and code directly to the JavaScript Function constructor without proper sanitization. This vulnerability allows a remote attacker to...

EUVD-2026-12462

Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a reflected cross-site scripting vulnerability in the Network Diagnosis ping function that allows attackers to execute arbitrary JavaScript. Attackers can craft malicious links with injected script payloads in the pingipaddr parameter t...

EUVD-2026-12458

Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a stored cross-site scripting vulnerability that allows authenticated attackers to inject arbitrary JavaScript by manipulating the Device Name field. Attackers can inject malicious scripts through the System Status interface that execut...

EUVD-2026-12188

Vulnogram 1.0.0 contains a stored cross-site scripting vulnerability in comment hypertext handling that allows attackers to inject malicious scripts. Remote attackers can inject XSS payloads through comments to execute arbitrary JavaScript in victims' browsers...

EUVD-2025-208699

Raytha CMS is vulnerable to Stored XSS via FieldValues1.Value parameter in post editing functionality. Authenticated attacker with permissions to edit posts can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. This issue was fixed in version...

EUVD-2025-208697

"Functions" module in Raytha CMS allows privileged users to write custom code to add functionality to application. Due to a lack of sandboxing or access restrictions, JavaScript code executed through Raytha’s “functions” feature can instantiate .NET components and perform arbitrary...

EUVD-2015-9417

Next Click Ventures RealtyScript 4.0.2 contains a stored cross-site scripting vulnerability in the locationname parameter of the admin locations interface. Attackers can submit POST requests to the locations.php endpoint with JavaScript payloads in the locationname field to execute arbitrary code...

EUVD-2015-9413

Next Click Ventures RealtyScript 4.0.2 fails to properly sanitize CSV file uploads, allowing attackers to inject malicious scripts through filename parameters in multipart form data. Attackers can upload files with XSS payloads in the filename field to execute arbitrary JavaScript in users'...

CVE-2026-32774

Vulnogram 1.0.0 contains a stored cross-site scripting vulnerability in comment hypertext handling that allows attackers to inject malicious scripts. Remote attackers can inject XSS payloads through comments to execute arbitrary JavaScript in victims' browsers...

CVE-2025-69242

Raytha CMS is vulnerable to reflected XSS via the backToListUrl parameter. An attacker can craft a malicious URL which, when opened by authenticated victim, results in arbitrary JavaScript execution in the victim’s browser. This issue was fixed in version 1.4.6...

CVE-2025-15540

"Functions" module in Raytha CMS allows privileged users to write custom code to add functionality to application. Due to a lack of sandboxing or access restrictions, JavaScript code executed through Raytha’s “functions” feature can instantiate .NET components and perform arbitrary...