CVE-2026-49368

In JetBrains YouTrack before 2026.1.13162 stored XSS in project notification templates was possible...

CVE-2026-49368

In JetBrains YouTrack before 2026.1.13162 stored XSS in project notification templates was possible...

CVE-2026-49368

In JetBrains YouTrack before 2026.1.13162 stored XSS in project notification templates was possible...

CVE-2026-49368

In JetBrains YouTrack before 2026.1.13162 stored XSS in project notification templates was possible...

CVE-2026-49368

In JetBrains YouTrack before 2026.1.13162 stored XSS in project notification templates was possible...

EUVD-2026-33416

In JetBrains YouTrack before 2026.1.13162 stored XSS in project notification templates was possible...

CVE-2026-49368

CVE-2026-49368 affects JetBrains YouTrack prior to version 2026.1.13162. The issue is a stored XSS in project notification templates. According to the entry, the vulnerability can be triggered remotely (attack vector: NETWORK) with low privileges required and user interaction needed, leading to h...

JetBrains YouTrack 跨站脚本漏洞

JetBrains YouTrack is a browser-based error tracking and project management software developed by Czech company JetBrains. This software features error tracking, the ability to create workflows, and monitoring of project progress. Versions of JetBrains YouTrack prior to 2026.1.13162 contained a...

PT-2026-44948

Name of the Vulnerable Software and Affected Versions JetBrains YouTrack versions prior to 2026.1.13162 Description Stored Cross-Site Scripting XSS, a flaw where malicious scripts are permanently stored on the target server, is possible within project notification templates. Recommendations Updat...

CVE-2026-27694

Traccar (org.traccar:traccar) versions 6.11.1–6.12.x are vulnerable to stored HTML injection in email notification templates. User-controlled device, geofence, and driver names are inserted into HTML output without proper escaping, allowing an attacker with low privileges to store crafted HTML th...

OPENSUSE-SU-2026:20654-1 Security update for grafana

This update for grafana fixes the following issues: Changes in grafana: - Update to version 11.6.11: Features and enhancements: Alerting: Add limits for the size of expanded notification templates Correlations: Remove support for orgid=0 Security: CVE-2026-21722: Public dashboards annotations: us...

CVE-2026-28505

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the streval function in notificationhandler.py implements a sandboxed eval for notification text templates. The sandbox attempts to restrict callable names by inspecting code.conames of the...

CVE-2026-28505

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the streval function in notificationhandler.py implements a sandboxed eval for notification text templates. The sandbox attempts to restrict callable names by inspecting code.conames of the...

EUVD-2026-17184

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the streval function in notificationhandler.py implements a sandboxed eval for notification text templates. The sandbox attempts to restrict callable names by inspecting code.conames of the...

CVE-2026-33130 Uptime Kuma: SSTI in Notification Templates Allows Arbitrary File Read (Incomplete Fix for GHSA-vffh-c9pq-4crh)

Uptime Kuma is an open source, self-hosted monitoring tool. In versions 1.23.0 through 2.2.0, the fix from GHSA-vffh-c9pq-4crh doesn't fully work to preventServer-side Template Injection SSTI. The three mitigations added to the Liquid engine root, relativeReference, dynamicPartials only block...

CVE-2026-33130

Uptime Kuma (versions 1.23.0–2.2.0) is affected by a server-side template injection (SSTI) in notification templates due to an incomplete fix for GHSA-vffh-c9pq-4crh. The Liquid engine mitigations added to limit path resolution (root, relativeReference, dynamicPartials) only block quoted paths; i...

CVE-2026-33130 Uptime Kuma: SSTI in Notification Templates Allows Arbitrary File Read (Incomplete Fix for GHSA-vffh-c9pq-4crh)

Uptime Kuma is an open source, self-hosted monitoring tool. In versions 1.23.0 through 2.2.0, the fix from GHSA-vffh-c9pq-4crh doesn't fully work to preventServer-side Template Injection SSTI. The three mitigations added to the Liquid engine root, relativeReference, dynamicPartials only block...

PT-2026-26375

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Versions 1.8.208 and below are vulnerable to Stored Cross-Site Scripting XSS through FreeScout's email notification templates. Incoming email bodies are stored in the database without sanitization and rendered...

EUVD-2025-35098

Uptime Kuma Server-side Template Injection SSTI in Notification Templates Allows Arbitrary File Read...

GHSA-VFFH-C9PQ-4CRH Uptime Kuma Server-side Template Injection (SSTI) in Notification Templates Allows Arbitrary File Read

Summary In some Notification types e.g., Webhook, Telegram, the send function allows user-controlled renderTemplate input. This leads to a Server-side Template Injection SSTI vulnerability that can be exploited to read arbitrary files from the server. Details The root cause is how Uptime Kuma...