CVE-2026-41180

PsiTransfer is an open source, self-hosted file sharing solution. Prior to version 2.4.3, the upload PATCH flow under /files/:uploadId validates the mounted request path using the still-encoded req.path, but the downstream tus handler later writes using the decoded req.params.uploadId. In...

CVE-2026-6621

A vulnerability was determined in 1024bit extend-deep up to 0.1.6. The impacted element is an unknown function of the file index.js. This manipulation of the argument proto causes improperly controlled modification of object prototype attributes. Remote exploitation of the attack is possible. The...

CVE-2026-4999

A security vulnerability has been detected in z-9527 admin up to 72aaf2dd05cf4ec2e98f390668b41e128eec5ad2. This issue affects the function uploadFile of the file /server/utils/upload.js of the component isImg Check. The manipulation of the argument fileType leads to path traversal. Remote...

PT-2026-21612

A flaw has been found in horilla-opensource horilla up to 1.0.2. Impacted is an unknown function of the file static/assets/js/global.js of the component Leads Module. This manipulation of the argument Notes causes cross site scripting. The attack is possible to be carried out remotely. The exploi...

EUVD-2017-14725

Malware in sbrugna...

EUVD-2018-12768

Malware in sbrugna...

EUVD-2024-17098

Malicious code in bioql PyPI...

Embedded Malicious Code

Overview @ctrl/ts-base32 is a package for base32 encoding and decoding in typescript Affected versions of this package are vulnerable to Embedded Malicious Code. Compromised versions of this package contain a file called bundle.js that exfiltrates secrets from the user's accounts, including...

CVE-2018-20201

There is a stack-based buffer over-read in the jsfNameFromString function of jsflash.c in Espruino 2V00, leading to a denial of service or possibly unspecified other impact via a crafted js file...

CVE-2023-27168

An arbitrary file upload vulnerability in Xpand IT Write-back Manager v2.3.1 allows attackers to execute arbitrary code via a crafted jsp file...

X (Formerly Twitter): Cross-Domain Leakage of X Username / UserID due to Dynamically Generated JS File

The vulnerability allowed the retrieval of a user's X username and user ID from a dynamically generated JavaScript file hosted on Twitter. An attacker could force a victim to import the file from a malicious website, bypassing the Same-Origin Policy and exposing the user's sensitive information...

CVE-2021-36535

Buffer Overflow vulnerability in Cesanta mJS 1.26 allows remote attackers to cause a denial of service via crafted .js file to mjsseterrorf...

Buffer overflow

Buffer Overflow vulnerability in Cesanta mJS 1.26 allows remote attackers to cause a denial of service via crafted .js file to mjsseterrorf...

CVE-2021-36535

Buffer Overflow vulnerability in Cesanta mJS 1.26 allows remote attackers to cause a denial of service via crafted .js file to mjsseterrorf...

CVE-2021-36535

CVE-2021-36535 describes a buffer overflow in Cesanta mJS 1.26. The issue affects the mjs_set_errorf path and can be triggered by a crafted .js file, leading to denial of service. The available connected documents corroborate the target as Cesanta mJS 1.26 and the impact as availability loss (DoS...

PT-2023-10805 · Unknown · Osm Lab Show-Me-The-Way

Name of the Vulnerable Software and Affected Versions: OSM Lab show-me-the-way affected versions not specified Description: A vulnerability was found in the processing of the file js/site.js, which leads to cross-site scripting. The attack may be initiated remotely. Recommendations: To fix this...

Stored XSS with CSP bypass through JS file upload

Description I've seen here: https://github.com/usememos/memos/blob/main/server/resource.goL268 that has been implemented the CSP with "default-src 'self'" configuration. This configuration can be bypassed if I'm able to upload a js file, and then call it from another files while they both resides...

Kubernetes: Google storage bucket takeover which is used to load JS file in dashboard.html in "github.com/kubernetes/release" which can lead to XSS

Report Submission Form Summary: Kubernetes have a github repository github.com/kubernetes/release In the repository there is code for dashboard. The dashboard have a html file dashboard.html which is using a JS file from a google storage bucket. The bucket was not registered on google cloud. So I...

Semrush: API key (api.semrush.com) leak in JS-file

The researcher found a javascript file with an API token that allowed to get internal statistics. When you access a page not found on the application, the source code of the page contains a portion of code that list a lot of javascript files. Some of these javascript files correspond to the Semru...

U.S. Dept Of Defense: [█████] — DOM-based XSS on endpoint `/?s=`

Description GET parameter s is vulnerable to DOM-based XSS on endpoint /?s=. XSS affects all users and no authentication or login is required. Proof of Concept Visit the following URL for PoC: https://██████/?s=%27%3E%3Cscript%3Ealertdocument.domain%3C/script%3E █████████ Explanation This DOM-bas...