CVE-2026-11569

A flaw was found in Quay. The filedrop endpoint accepts any mime type without validation, allowing an authenticated user with repository write access to upload a malicious SVG file containing JavaScript. The file is stored and served inline through the CDN, enabling stored cross-site scripting wh...

CVE-2026-46360 phpMyFAQ - Stored XSS via Entity Decoding Depth Limit Bypass in SVG Sanitizer

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in SvgSanitizer::decodeAllEntities that limits recursive entity decoding to 5 iterations, allowing attackers to bypass sanitization. Authenticated users with FAQEDIT permission can upload malicious SVG files with deeply...

Qt 代码注入漏洞

Qt is an open-source, cross-platform application development framework. Qt has a code injection vulnerability, which stems from insufficient node ID verification. This vulnerability allows for the injection of arbitrary QML or JavaScript code through the VectorImage component in Qt Quick, when...

Off-by-one Error

Overview Magick.NET-Q16-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

Off-by-one Error

Overview Magick.NET-Q16-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

CVE-2026-1226

CWE‑94: Improper Control of Generation of Code vulnerability exists that could cause execution of untrusted or unintended code within the application when maliciously crafted design content is processed through a TGML graphics file...

Schneider Electric EcoStruxure Building Operation Workstation 代码注入漏洞

Schneider Electric EcoStruxure Building Operation Workstation is a specialized operational terminal component developed by Schneider Electric, a French company. The Schneider Electric EcoStruxure Building Operation Workstation has a code injection vulnerability, which stems from improper code...

CVE-2025-68618

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-12, using Magick to read a malicious SVG file resulted in a DoS attack. Version 7.1.2-12 fixes the issue...

EUVD-2025-35060

TastyIgniter vulnerable to Cross-Site Scripting...

CVE-2021-22754

A CWE-787: Out-of-bounds write vulnerability exists inIGSS Definition Def.exe V15.0.0.21140 and prior that could result in loss of data or remote code execution due to lack of proper validation of user-supplied data, when a malicious CGF file is imported to IGSS Definition...

PYSEC-2021-5

CairoSVG is a Python pypi package. CairoSVG is an SVG converter based on Cairo. In CairoSVG before version 2.5.1, there is a regular expression denial of service REDoS vulnerability. When processing SVG files, the python package CairoSVG uses two regular expressions which are vulnerable to Regula...