CVE-2026-27742

Bludit

CVE-2026-25648

Versions of the Traccar open-source GPS tracking system starting with 6.11.1 contain an issue in which authenticated users can execute arbitrary JavaScript in the context of other users' browsers by uploading malicious SVG files as device images. The application accepts SVG file uploads without...

CVE-2026-25648 Traccar Vulnerable to Stored Cross-Site Scripting (XSS) via Malicious SVG File Upload

Versions of the Traccar open-source GPS tracking system starting with 6.11.1 contain an issue in which authenticated users can execute arbitrary JavaScript in the context of other users' browsers by uploading malicious SVG files as device images. The application accepts SVG file uploads without...

CVE-2026-26464

Stored Cross-Site Scripting XSS was found in the /admin/edituser.php page of Society Management System Portal V1.0, which allows remote attackers to inject and store arbitrary JavaScript code that is executed in users' browsers. This vulnerability can be exploited via the name parameter in a POST...

PT-2026-21569

Name of the Vulnerable Software and Affected Versions Bludit version 3.16.2 Description The application does not properly sanitize content input on the server side, despite client-side sanitation. An authenticated user can inject JavaScript into the post content field. This injected script execut...

PT-2026-21559

Name of the Vulnerable Software and Affected Versions Traccar versions 6.11.1 and later Description The Traccar GPS tracking system is affected by an issue where authenticated users can execute arbitrary JavaScript in other users' browsers. This occurs because the application accepts SVG file...

CVE-2026-27147

GetSimple CMS is a content management system. All versions of GetSimple CMS are vulnerable to XSS through SVG file uploads. Authenticated users can upload SVG files via the administrative upload functionality, but they are not properly sanitized or restricted, allowing an attacker to embed...

openSUSE 16 Security Update : chromium (openSUSE-SU-2026:20258-1)

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20258-1 advisory. Changes in chromium: - Chromium 145.0.7632.109 boo1258438: CVE-2026-2648: Heap buffer overflow in PDFium CVE-2026-2649: Integer overflow in V8...

CVE-2025-68846

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Paris Holley Asynchronous Javascript asynchronous-javascript allows Reflected XSS.This issue affects Asynchronous Javascript: from n/a through = 1.3.5...

CVE-2026-24959

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in JoomSky JS Help Desk js-support-ticket allows Blind SQL Injection.This issue affects JS Help Desk: from n/a through = 3.0.1...

CVE-2026-27505

SVXportal version 2.5 and prior contain a stored cross-site scripting vulnerability in the user registration workflow index.php submitting to admin/useraction.php. User-supplied fields such as Firstname, lastname, and email are stored in the backend database without adequate output encoding and a...

CVE-2026-27502

SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in log.php via the search query parameter. The application embeds the unsanitized parameter value directly into an HTML input value attribute, allowing an unauthenticated remote attacker to inject and execute...

CVE-2019-25445

Fiverr Clone Script 1.2.2 contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the keyword parameter. Attackers can craft URLs with script tags in the keyword parameter of search-results.php to execute arbitrary JavaScript...

CVE-2026-27503

SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in admin/log.php via the search query parameter. When an authenticated administrator views a crafted URL, the application embeds the unsanitized parameter value directly into an HTML input value attribute,...

CVE-2026-27458

LinkAce is a self-hosted archive to collect website links. Versions 2.4.2 and below have a Stored Cross-site Scripting vulnerability through the Atom feed endpoint for lists /lists/feed. An authenticated user can inject a CDATA-breaking payload into a list description that escapes the XML CDATA...

CVE-2026-27458

LinkAce versions 2.4.2 and earlier are affected by a Stored XSS in the Atom feed at /lists/feed. An authenticated user can inject a CDATA-breaking payload into a list description, escaping the CDATA and injecting an SVG element into the Atom XML, which the browser parses and executes as JavaScrip...

CVE-2026-27196

Statmatic is a Laravel and Git powered content management system CMS. Versions 5.73.8 and below in addition to 6.0.0-alpha.1 through 6.3.1 have a Stored XSS vulnerability in html fieldtypes which allows authenticated users with field management permissions to inject malicious JavaScript that...

OPENSUSE-SU-2026:20258-1 Security update for chromium

This update for chromium fixes the following issues: Changes in chromium: - Chromium 145.0.7632.109 boo1258438: CVE-2026-2648: Heap buffer overflow in PDFium CVE-2026-2649: Integer overflow in V8 CVE-2026-2650: Heap buffer overflow in Media...

CVE-2025-13672

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in OpenText™ Web Site Management Server allows Reflected XSS. The vulnerability could allow injecting malicious JavaScript inside URL parameters that was then rendered with the preview of the...

SUSE CVE-2026-26996

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service ReDoS when a glob pattern contains many consecutive wildcards followed by a literal character that doesn't appea...