341 matches found
CVE-2026-52750
Ghidra before 12.1 contains a command injection vulnerability in URL annotation handling on Windows where cmd.exe metacharacters are not properly escaped. Attackers can execute arbitrary commands under the Ghidra user's privileges by embedding malicious URLs in program comments that victims click...
CVE-2026-24315
SAP Fiori Launchpad allows attackers to craft malicious URLs that triggers arbitrary service calls on the Fiori domain, this when opened by the user could compromise accounts by stealing user credentials. Successful exploitation requires adversaries to possess advanced knowledge of the system...
CVE-2026-24315
SAP Fiori Launchpad allows attackers to craft malicious URLs that triggers arbitrary service calls on the Fiori domain, this when opened by the user could compromise accounts by stealing user credentials. Successful exploitation requires adversaries to possess advanced knowledge of the system...
SAP Wily Introscope Enterprise Manager 跨站脚本漏洞
SAP Wily Introscope Enterprise Manager is an application performance management component developed by the German company SAP. SAP Wily Introscope Enterprise Manager has a cross-site scripting vulnerability. This vulnerability stems from allowing unauthenticated attackers to construct malicious...
Android App "RoboForm Password Manager" insufficient validation of Android intents
Overview Android App "RoboForm Password Manager" provided by Siber Systems, Inc. accepts intents from other applications to open relevant web pages e.g., login pages, but without sufficient URL validation, user confirmation nor notification. Insufficient UI Warning of Dangerous Operations CWE-357...
EUVD-2026-31200
Android App "RoboForm Password Manager" provided by Siber Systems, Inc. handles Android intents without sufficient URL validation, user confirmation nor notification. If a URL to some malicious web page is given through an intent, RoboForm may silently download files without user confirmation nor...
sidekiq-cron 安全漏洞
sidekiq-cron is an open-source scheduling plugin for tasks based on Cron expressions. Versions of sidekiq-cron 2.3.1 and earlier contain security vulnerabilities; these vulnerabilities stem from the possibility of cross-site scripting attacks caused by rendering malicious URLs through the cron.er...
Improper Encoding or Escaping of Output
Overview phpmyfaq/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the Utils::parseUrl function during comment rendering. An attacker can execute arbitrary JavaScript in the...
python: Python: Command-line option injection in webbrowser.open() via crafted URLs
A flaw was found in Python. The webbrowser.open API, used to launch web browsers, does not properly sanitize input. This allows a remote attacker to craft a malicious URL containing leading dashes. When such a URL is opened, certain web browsers may interpret these dashes as command-line options,...
PT-2026-37152
Name of the Vulnerable Software and Affected Versions i18nextify versions prior to 4.0.8 Description The software substitutes key interpolation tokens within src and href attribute values using the raw string from i18next.t. The substitution logic in the replaceInside handler within src/localize....
SAP NetWeaver Application Server ABAP 输入验证错误漏洞
SAP NetWeaver Application Server ABAP is a platform used by SAP, a German company, for the operation and development of applications written in the ABAP language. There is an input validation vulnerability in SAP NetWeaver Application Server ABAP. This vulnerability stems from an open redirection...
PT-2026-31731
Joomla HikaShop 4.7.4 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating GET parameters in the product filter endpoint. Attackers can craft malicious URLs containing XSS payloads in the from option, from ctrl,...
PT-2026-31730
Joomla Solidres 2.13.3 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating multiple GET parameters including show, reviews, type id, distance, facilities, categories, prices, location, and Itemid. Attackers can...
SiYuan 代码注入漏洞
SiYuan is a privacy-oriented personal knowledge management system developed by SiYuan OpenSource. Versions of SiYuan prior to 3.6.2 contained a code injection vulnerability. This vulnerability stemmed from unvalidated malicious URLs in the Attribute View mAsse field, which could lead to stored-xs...
Exploit for Embedded Malicious Code in Aquasec Setup-Trivy
CVE-2026-33634-Scanner !License: MIThttps://img.shields.i...
GDTaller 跨站脚本漏洞
GDTaller is a digital certificate and electronic seal management system developed by the Spanish company GDTaller. GDTaller has a cross-site scripting vulnerability, which originates from the site parameter in the apprecuperarclave.php file. This vulnerability could allow attackers to execute...
CVE-2017-20219
Serviio PRO 1.8 DLNA Media Streaming Server contains a DOM-based cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads. Attackers can craft URLs with malicious input that is read from document.location and passed to...
PT-2026-25725
Name of the Vulnerable Software and Affected Versions ZKTeco ZKBioSecurity version 3.0 Description The software contains multiple reflected cross-site scripting issues that permit attackers to run arbitrary HTML and script code. This is achieved by injecting malicious payloads through unsanitized...
PT-2026-25048
Name of the Vulnerable Software and Affected Versions mirror-registry affected versions not specified Description An issue exists in mirror-registry where an authenticated user can manipulate the system into accessing unintended internal or restricted systems by supplying malicious web addresses...
EUVD-2026-9894
OpenClaw versions prior to 2026.2.15 contain a denial of service vulnerability in the webfetch tool that allows attackers to crash the Gateway process through memory exhaustion by parsing oversized or deeply nested HTML responses. Remote attackers can social-engineer users into fetching malicious...