Linux Distros Unpatched Vulnerability : CVE-2026-49128

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Music Player Daemon MPD before version 0.24.11 contains a path traversal vulnerability in LocalStorage::MapFSOrThrow and LocalStorage::MapUTF8 within the local...

CVE-2026-49128

Music Player Daemon MPD before version 0.24.11 contains a path traversal vulnerability in LocalStorage::MapFSOrThrow and LocalStorage::MapUTF8 within the local storage plugin, where the on-disk path is constructed by joining the storage root with a user-supplied URI as plain strings without...

Astra Linux - уязвимость в firefox

When Firefox is configured to block the storage of all cookies, it is still possible to store data in localstorage by using an iframe with a source of ‘about:blank’. This could allow malicious websites to store tracking data without permission. This vulnerability affects Firefox versions earlier...

SUSE CVE-2026-27616

Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to upload SVG files as task attachments. SVG is an XML-based format that supports JavaScript execution through elements such as tags or event handlers like onload. The application...

Malicious Package

Overview iron-localstorage is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

MAL-2026-1309 Malicious code in iron-localstorage (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0b4370af9c8f0db5604f7bc2648c64054140ea6fbcfebd4eef181c7330efaf77 The package iron-localstorage was found to contain malicious code. Source: ghsa-malware...

Malicious code in iron-localstorage (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0b4370af9c8f0db5604f7bc2648c64054140ea6fbcfebd4eef181c7330efaf77 The package iron-localstorage was found to contain malicious code. Source: ghsa-malware...

GHSA-RCHV-X836-W7XP OpenClaw's dashboard leaked gateway auth material via browser URL/query and localStorage

OpenClaw's macOS Dashboard flow exposed Gateway authentication material to browser-controlled surfaces. Before the fix, the macOS app appended the shared Gateway token and password to the Dashboard URL query string when opening the Control UI in the browser. The Control UI then imported the token...

CVE-2026-27822

RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.83, a Stored Cross-Site Scripting XSS vulnerability in the RustFS Console allows an attacker to execute arbitrary JavaScript in the context of the management console. By bypassing the PDF preview logic, an...

Rust has Critical Stored XSS in Preview Modal, leading to Administrative Account Takeover

Summary A Stored Cross-Site Scripting XSS vulnerability in the RustFS Console allows an attacker to execute arbitrary JavaScript in the context of the management console. By bypassing the PDF preview logic, an attacker can steal administrator credentials from localStorage, leading to full account...

CVE-2026-27822

RustFS before 1.0.0-alpha.83 is affected by a Stored XSS in the RustFS Console that bypasses PDF preview logic, allowing an attacker to steal admin credentials from localStorage and potentially takeover accounts and compromise the system. The issue is fixed in 1.0.0-alpha.83. No exploitation deta...

CVE-2026-27822 Rust has Critical Stored XSS in Preview Modal, leading to Administrative Account Takeover

RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.83, a Stored Cross-Site Scripting XSS vulnerability in the RustFS Console allows an attacker to execute arbitrary JavaScript in the context of the management console. By bypassing the PDF preview logic, an...

CVE-2026-27822 Rust has Critical Stored XSS in Preview Modal, leading to Administrative Account Takeover

RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.83, a Stored Cross-Site Scripting XSS vulnerability in the RustFS Console allows an attacker to execute arbitrary JavaScript in the context of the management console. By bypassing the PDF preview logic, an...

CVE-2026-27822

RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.83, a Stored Cross-Site Scripting XSS vulnerability in the RustFS Console allows an attacker to execute arbitrary JavaScript in the context of the management console. By bypassing the PDF preview logic, an...

PT-2026-22032

Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.0.0 Description Vikunja, a self-hosted task management platform, does not sanitize SVG files uploaded as task attachments. This allows for the inclusion of JavaScript code within the SVG file, which executes when th...

SUSE CVE-2026-22808

fleetdm/fleet is open source device management software. Prior to versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, if Windows MDM is enabled, an unauthenticated attacker can exploit this XSS vulnerability to steal a Fleet administrator's authentication token FLEET::authtoken from localStorage...

CVE-2026-24399 ChatterMate has Stored Cross-Site Scripting (XSS) via Chatbot Input Execution

ChatterMate is a no-code AI chatbot agent framework. In versions 1.0.8 and below, the chatbot accepts and executes malicious HTML/JavaScript payloads when supplied as chat input. Specifically, an payload containing a javascript: URI can be processed and executed in the browser context. This allow...

CVE-2026-24399

ChatterMate is a no-code AI chatbot agent framework. In versions 1.0.8 and below, the chatbot accepts and executes malicious HTML/JavaScript payloads when supplied as chat input. Specifically, an payload containing a javascript: URI can be processed and executed in the browser context. This allow...

CVE-2026-22808

fleetdm/fleet is open source device management software. Prior to versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, if Windows MDM is enabled, an unauthenticated attacker can exploit this XSS vulnerability to steal a Fleet administrator's authentication token FLEET::authtoken from localStorage...

CVE-2026-22808

CVE-2026-22808 describes a Cross-site Scripting (XSS) vulnerability in Fleet Windows MDM endpoint (fleetdm/fleet). If Windows MDM is enabled, an unauthenticated attacker could trigger XSS to steal the Fleet administrator token (FLEET::auth_token) from localStorage, potentially enabling unauthoriz...