Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the color mode preference process. An attacker can execute arbitrary JavaScript in the context of a higher-privileged user by injecting malicious scripts that trigger when the targeted user impersonates the...

CVE-2026-3910

Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: High...

DEBIAN-CVE-2026-3910

Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: High...

CVE-2026-3910

Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: High...

CVE-2026-0835

IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.1.0.0 through 6.1.2.72, 6.2.0.0 through 6.2.0.51, 6.2.1.0 through 6.2.1.11, and 6.2.2.0 are vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus alterin...

CVE-2026-26954 SandboxJS has a Sandbox Escape

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.34, it is possible to obtain arrays containing Function, which allows escaping the sandbox. Given an array containing Function, and Object.fromEntries, it is possible to construct p: Function where p is any constructible property. This...

BIT-GITLAB-2025-14513 Improper Validation of Specified Quantity in Input in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service condition due to improper input validation when processing specially crafted JSON...

CVE-2026-22210 wpDiscuz before 7.6.47 - Cross-Site Scripting via Unescaped Attachment URLs

wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability that allows attackers to inject malicious code through unescaped attachment URLs in HTML output by exploiting the WpdiscuzHelperUpload class. Attackers can craft malicious attachment records or filter hooks to inject arbitrary...

Linux Distros Unpatched Vulnerability : CVE-2026-29074

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - SVGO, short for SVG Optimizer, is a Node.js library and command-line application for optimizing SVG files. From version 2.1.0 to before version 2.8.1, from...

Microsoft Windows Malicious Script File Generator

This PHP script generates a malicious .WSF Windows Script File containing both VBScript and JScript payload blocks. The payload runs arbitrary system commands through WScript.Shell...

Statamic 跨站脚本漏洞

Statamic is a powerful flat-file CMS built using Laravel by Statamic Inc. It allows for storing all content, templates, assets, and settings in files rather than in a database. Versions of Statamic prior to 6.6.2 had a cross-site scripting vulnerability. This vulnerability stemmed from a...

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : MozillaFirefox (SUSE-SU-2026:0871-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:0871-1 advisory. Update to Firefox Extended Support Release 140.8.0 ESR MFSA 2026-15 bsc1258568: - CVE-2026-2757:...

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : MozillaThunderbird (SUSE-SU-2026:0880-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:0880-1 advisory. Mozilla Thunderbird 140.8 MFSA 2026-17 bsc1258568: - CVE-2026-2757: Incorrect boundary condition...

Google Chrome 代码注入漏洞

Google Chrome is a web browser developed by Google Inc. Versions of Google Chrome prior to 146.0.7680.75 contained a code injection vulnerability, which was caused by improper implementation of the V8 engine. This vulnerability could allow remote attackers to execute arbitrary code within a sandb...

IBM Sterling B2B Integrator和IBM Sterling File Gateway 跨站脚本漏洞

IBM Sterling B2B Integrator and IBM Sterling File Gateway are both products of International Business Machines IBM. IBM Sterling B2B Integrator is a software suite that integrates critical B2B processes, transactions, and relationships. This software supports secure integration of complex B2B...

Ruby on Rails: Rails::HTML::Sanitizer.allowed_uri? returns true for entity-encoded control-character-split javascript: URLs

A vulnerability was discovered in the Rails::HTML::Sanitizer.alloweduri? method of the rails-html-sanitizer library. The method incorrectly returned true for entity-encoded control-character-split javascript: URLs, which could lead to potential security issues if the application relied on the...

CVE-2026-3910

Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: High...

CVE-2026-3910

Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: High...

CVE-2026-32308

OneUptime prior to version 10.0.23 is affected by a Stored XSS in the Markdown viewer’s Mermaid diagram rendering. The renderer uses securityLevel: "loose" and injects Mermaid SVG output via innerHTML, allowing interactive bindings and enabling XSS via Mermaid’s click directive to execute arbitra...

GO-2026-4669 SiYuan has a SVG Sanitizer Bypass via Whitespace in `javascript:` URI — Unauthenticated XSS in github.com/siyuan-note/siyuan/kernel

SiYuan has a SVG Sanitizer Bypass via Whitespace in javascript: URI — Unauthenticated XSS in github.com/siyuan-note/siyuan/kernel...