Google Chrome 安全漏洞

Google Chrome is a web browser developed by Google Inc. Versions of Google Chrome prior to 145.0.7632.109 contained a security vulnerability, which was caused by integer overflow in the V8 component, potentially leading to heap corruption...

Important: firefox

Issue Overview: Spoofing issue in the Downloads Panel component. This vulnerability affects Firefox 146. CVE-2025-14327 Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox 147, Firefox ESR 115.32, and Firefox ESR 140.7. CVE-2026-0877 Sandbox escape due to incorrec...

PT-2026-20393

Reflected Cross-Site Scripting XSS vulnerability in the Graylog Web Interface console, version 2.2.3, caused by a lack of proper sanitization and escaping in HTML output. Several endpoints include segments of the URL directly in the response without applying output encoding, allowing an attacker ...

ezBookkeeping 安全漏洞

ezBookkeeping is a lightweight personal accounting application developed by mayswind developers. Versions of ezBookkeeping 1.2.0 and earlier contained security vulnerabilities. These vulnerabilities stemmed from the lack of validation of nested depths during the processing of JSON and XML file...

Bematech MP-4200 TH 跨站脚本漏洞

The Bematech MP-4200 TH is a thermal receipt printer produced by the British company Bematech. The Bematech MP-4200 TH has a cross-site scripting vulnerability. This vulnerability stems from a cross-site scripting vulnerability present in the administrator configuration page, which may allow...

Stable Channel Update for Desktop

The Stable channel has been updated to 145.0.7632.109/110 for Windows/Mac and 145.0.7632.109 for Linux, which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log Security Fixes and Rewards Note: Access to bug details and links may be kept...

Rack 跨站脚本漏洞

Rack is a modular Ruby web server interface developed by the Rack open source project. Versions of Rack prior to 2.2.22, 3.1.20, and 3.2.5 had a cross-site scripting vulnerability. This vulnerability stemmed from the HTML directory index generated by Rack::Directory, which contained clickable...

PT-2026-20502

IPFire 2.21 Core Update 127 contains multiple reflected cross-site scripting vulnerabilities in the fwhosts.cgi script that allow attackers to inject malicious scripts through multiple parameters including HOSTNAME, IP, SUBNET, NETREMARK, HOSTREMARK, newhost, grp name, remark, SRV NAME, SRV PORT,...

Google Chrome < 145.0.7632.109 Multiple Vulnerabilities

The version of Google Chrome installed on the remote Windows host is prior to 145.0.7632.109. It is, therefore, affected by multiple vulnerabilities as referenced in the 202602stable-channel-update-for-desktop18 advisory. - Heap buffer overflow in Media in Google Chrome prior to 145.0.7632.109...

GHSA-WHRJ-4476-WVMP Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href

Summary Rack::Directory generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename begins with the javascript: scheme e.g. javascript:alert1, the generated index includes an anchor whose href attribute is exactly...

Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href

Summary Rack::Directory generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename begins with the javascript: scheme e.g. javascript:alert1, the generated index includes an anchor whose href attribute is exactly...

Cross-site Scripting (XSS)

Overview rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between the so-called middleware into a singl...

securiclaw

🦞 Securiclaw AI-Powered Code Security Scanner Securiclaw...

Improper Verification of Cryptographic Signature

Overview sjcl is a Stanford Javascript Crypto Library Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to missing point-on-curve validation in sjcl.ecc.basicKey.publicKey. An attacker can recover a victim's ECDH private key by sending crafte...

org.webjars.npm:github-com-aws-amazon-cognito-identity-js (=1.12.0) potentially affected by CVE-2026-4258 via org.webjars.npm:sjcl (=1.0.8)

org.webjars.npm:sjcl MAVEN version =1.0.8 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:sjcl and may be impacted: - org.webjars.npm:github-com-aws-amazon-cognito-identity-js =1.12.0 Source cves: CVE-2026-4258 Source advisory:...

PT-2026-20245

Name of the Vulnerable Software and Affected Versions IBM Concert versions 1.0.0 through 2.1.0 Description The IBM Concert Z hub framework is susceptible to cross-site scripting. An unauthenticated attacker can inject arbitrary JavaScript code into the Web UI, potentially modifying the intended...

Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href

Summary Rack::Directory generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename begins with the javascript: scheme e.g. javascript:alert1, the generated index includes an anchor whose href attribute is exactly...

CVE-2019-25389

Smoothwall Express 3.1-SP4-polar-x8664-update9 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the MACHINES parameter. Attackers can craft requests to the timedaccess.cgi endpoint with script payloads in the...

CVE-2019-25387

Smoothwall Express 3.1-SP4-polar-x8664-update9 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted input to the xtaccess.cgi endpoint. Attackers can inject script payloads through the EXT, DESTPORT, or...

CVE-2019-25382

Smoothwall Express 3.1-SP4-polar-x8664-update9 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the NTPSERVER parameter. Attackers can send POST requests to the time.cgi endpoint with script payloads in the...