CVE-2026-27830

c3p0, a JDBC Connection pooling library, is vulnerable to attack via maliciously crafted Java-serialized objects and javax.naming.Reference instances. Several c3p0 ConnectionPoolDataSource implementations have a property called userOverridesAsString which conceptually represents a Map. Prior to...

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection' via the factoryClassLocation function. An attacker can achieve arbitrary code execution by provoking the application to read a maliciously...

Live Helper Chat 安全漏洞

Live Helper Chat is an open-source plugin for personal developers that provides chat functionality for web platforms. Versions of Live Helper Chat 4.52 and earlier contain security vulnerabilities. These vulnerabilities stem from the lack of checks for access permissions when loading chat objects...

Arbitrary Code Injection

Overview @enclave-vm/ast is a production-ready, extensible AST validator for JavaScript with rule-based validation Affected versions of this package are vulnerable to Arbitrary Code Injection by escaping the enclave sandbox. An attacker can pollute the Object constructor rather than the intended...

PT-2026-21860

Name of the Vulnerable Software and Affected Versions SPIP interface traduction objets plugin versions prior to 2.2.2 SPIP interface traduction objets plugin versions 2.2.2 through 4.3.3 Description The SPIP interface traduction objets plugin contains an authenticated remote code execution issue ...

mchange-commons-java 注入漏洞

mchange-commons-java is a software developed by Steve Waldman. Versions of mchange-commons-java prior to 0.4.0 had a injection vulnerability. This vulnerability stemmed from the library’s inclusion of an independently implemented JNDI dereferencing function, which could allow attackers to trigger...

SPIP interface_traduction_objets 安全漏洞

SPIP interfacetraductionobjets is an extension plugin from SPIP. A SQL injection vulnerability exists in versions of SPIP interfacetraductionobjets prior to 2.2.2. The vulnerability stems from interfacetraductionobjetspipelines.php directly concatenating the idparent parameter to the SQL WHERE...

PT-2026-21862

The SPIP interface traduction objets plugin versions prior to 4.3.3 contain an authenticated SQL injection vulnerability in interface traduction objets pipelines.php. When handling translation requests, the plugin reads the id parent parameter from user-supplied input and concatenates it directly...

📄 jsPDF PDF Object Injection

jsPDF versions prior to 4.2.0 suffer from a PDF object injection vulnerability the addJS method. CVE-2026-25755: PDF Object Injection in jsPDF addJS Method Description A PDF Object Injection vulnerability was identified in the addJS method of jsPDF. The library fails to sanitize user-supplied inp...

CVE-2026-26278

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible ...

CVE-2026-25940

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following property, a user ca...

jsPDF 安全漏洞

jsPDF is a JavaScript-based PDF document generation library developed by Parallax. Versions of jsPDF prior to 4.2.0 contained security vulnerabilities. These vulnerabilities stemmed from improper handling of user input by the Acroform module, which could lead to the injection of arbitrary PDF...

PT-2026-20852

Name of the Vulnerable Software and Affected Versions jsPDF versions prior to 4.2.0 Description jsPDF is a JavaScript library used to generate PDF documents. Prior to version 4.2.0, the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions, through user-controll...

CVE-2025-14689

IBM Db2 for Linux, UNIX and Windows includes Db2 Connect Server 12.1.0 through 12.1.3 could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic with federated objects...

CVE-2026-23222

CVE-2026-23222 has been resolved in the Linux kernel. The bug was due to omap_crypto_copy_sg_lists() allocating an array of scatterlist pointers instead of scatterlist objects, causing a 4x under-allocation. The fix uses sizeof(*new_sg) to allocate the correct object size, ensuring proper scatter...

CVE-2026-23222

In the Linux kernel, the following vulnerability has been resolved: crypto: omap - Allocate OMAPCRYPTOFORCECOPY scatterlists correctly The existing allocation of scatterlists in omapcryptocopysglists was allocating an array of scatterlist pointers, not scatterlist objects, resulting in a 4x too...

MajorDoMo SQL注入漏洞

MajorDoMo is an open-source DIY smart home automation platform developed by the MajorDoMo community. There is a SQL injection vulnerability in MajorDoMo. This vulnerability stems from the commandssearch.inc.php file, which directly inserts the $GETparent parameter into multiple SQL queries. These...

MajorDoMo 跨站脚本漏洞

MajorDoMo is an open-source DIY smart home automation platform developed by the MajorDoMo community. MajorDoMo has a cross-site scripting vulnerability. This vulnerability stems from the fact that attribute values provided by users through the /objects/?op=set endpoint are stored without properly...

MajorDoMo 跨站脚本漏洞

MajorDoMo is an open-source DIY smart home automation platform developed by the MajorDoMo community. MajorDoMo has a cross-site scripting vulnerability. This vulnerability stems from the /objects/?method endpoint, which allows unvalidated execution of stored methods. The parameters controlled by...

CVE-2025-14689

IBM Db2 for Linux, UNIX and Windows includes Db2 Connect Server 12.1.0 through 12.1.3 could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic with federated objects...