GHSA-6JQ6-X4CX-QVCM Firefly II has Stored XSS in Audit Log Entry view via piggy bank name (ale.twig)

Summary The Twig template resources/views/list/ale.twig renders the piggy bank name from AuditLogEntry.after.piggy using the |raw filter, bypassing Twig's auto-escaping. A piggy bank created with an HTML payload in its name executes arbitrary JavaScript in any browser viewing that transaction's...

CVE-2026-8901

The Integration for Freshsales – Contact Form 7, WPForms, Elementor, Gravity Forms and More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Form Submission Data in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This make...

CVE-2026-50592

In Znuny LTS before 6.5.21 and Znuny before 7.3.3, there is reflected XSS in AdminCommunicationLog aka the communication log administration view...

GitHub CLI: GitHub Actions log output in `gh run view` allows terminal escape sequence injection

Summary A security vulnerability has been identified in GitHub CLI that could allow terminal escape sequence injection when users view GitHub Actions workflow logs using gh run view --log or gh run view --log-failed. Details The vulnerability stems from the way GitHub CLI handles raw Actions log...

SUSE CVE-2026-45803

gh is GitHub's official command line tool. From 1.6.0 to before 2.92.0, a security vulnerability has been identified in GitHub CLI that could allow terminal escape sequence injection when users view GitHub Actions workflow logs using gh run view --log or gh run view --log-failed. The vulnerabilit...

BIT-AIRFLOW-2026-22922 Apache Airflow: Airflow externalLogUrl Permission Bypass

Apache Airflow versions 3.1.0 through 3.1.6 contain an authorization flaw that can allow an authenticated user with custom permissions limited to task access to view task logs without having task log access. Users are recommended to upgrade to Apache Airflow 3.1.7 or later, which resolves this...

CVE-2026-22198

GestSup versions prior to 3.2.60 contain a pre-authentication stored cross-site scripting XSS vulnerability in the API error logging functionality. By sending an API request with a crafted X-API-KEY header value for example, to /api/v1/ticket.php, an unauthenticated attacker can cause...

CVE-2023-31437

An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."...

Linux Distros Unpatched Vulnerability : CVE-2019-7339

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - POST - Cross Site Scripting XSS exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'level' parameter...

CVE-2024-47913

An issue was discovered in the AbuseFilter extension for MediaWiki before 1.39.9, 1.40.x and 1.41.x before 1.41.3, and 1.42.x before 1.42.2. An API caller can match a filter condition against AbuseFilter logs even if the caller is not authorized to view the log details for the filter...

The vulnerability of the Log View component of the FortiAnalyzer security event monitoring and analysis software allows a malicious actor to read the event logs from another domain.

The vulnerability of the Log View component of the FortiAnalyzer security event monitoring and analysis software is related to insufficient protection of operational data. Exploiting this vulnerability could allow an attacker to read the event logs from another domain...

PT-2025-6264 · Fortinet · Fortianalyzer

Name of the Vulnerable Software and Affected Versions: Fortinet FortiAnalyzer versions 6.4.0 through 7.6.0 Description: The issue allows an unauthorized actor to cause information disclosure via filter manipulation, potentially leading to the exposure of sensitive information. This is related to...

PT-2024-16441 · WordPress · Yaad Sarig Payment Gateway For Wc

Name of the Vulnerable Software and Affected Versions: Yaad Sarig Payment Gateway For WC plugin for WordPress versions up to, and including, 2.2.4 Description: The issue is related to a missing capability check on the yaadpay view log callback and yaadpay delete log callback functions. This allow...

Checkmk 安全漏洞

Checkmk is an IT monitoring platform from Checkmk, Inc. A security vulnerability exists in versions prior to Checkmk 2.3.0p14 that stems from improper neutralization of user input. An attacker exploiting this vulnerability could inject and run malicious scripts in the Robotmk log view...

Security Bulletin: Vulnerabilities have been identified with the DS8900F Hardware Management Console (HMC)

Summary The updates indicated below have been released to address the following vulnerabilities: CVE-2023-46169 Arbitrary file deletion, CVE-2023-46171 view sensitive log information, CVE-2023-46172 Bypass authentication restrictions for authorized user, CVE-2023-46170 Arbitrary file read ,...

The vulnerability of the DataLogView.php, EventsView.php, and AlarmsView.php scripts of the microprogramming software for Osprey Pump Controller controllers allows a perpetrator to execute arbitrary commands.

The vulnerability of the DataLogView.php, EventsView.php, and AlarmsView.php scripts of the Osprey Pump Controller microprogrammed software exists due to the failure to take measures to neutralize certain special elements. Exploiting this vulnerability allows a malicious actor to execute arbitrar...

SUSE CVE-2023-31437

An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."...

Osprey Pump Controller 操作系统命令注入漏洞

Osprey Pump Controller is a pump controller from Osprey. A security vulnerability exists in Osprey Pump Controller version 1.01, which stems from the presence of an operating system command injection vulnerability. An attacker can exploit this vulnerability to inject and execute arbitrary shell...

GHSA-3PPM-FWHM-QQG6 FeehiCMS is vulnerable to Cross-Site Scripting (XSS)

FeehiCMS v2.1.1 was discovered to contain a reflected cross-site scripting XSS vulnerability via the id parameter at /web/admin/index.php?r=log%2Fview-layer...

CVE-2022-43320

FeehiCMS v2.1.1 was discovered to contain a reflected cross-site scripting XSS vulnerability via the id parameter at /web/admin/index.php?r=log%2Fview-layer...