CVE-2026-35608

QuickDrop is an easy-to-use file sharing application. Prior to 1.5.3, a stored XSS vulnerability exists in the file preview endpoint. The application allows SVG files to be uploaded via the /api/file/upload-chunk endpoint. An attacker can upload a specially crafted SVG file containing a JavaScrip...

GHSA-5VPR-4FGW-F69H File Browser is vulnerable to Stored Cross-site Scripting via crafted EPUB file

Summary The EPUB preview function in File Browser is vulnerable to Stored Cross-site Scripting XSS. JavaScript embedded in a crafted EPUB file executes in the victim's browser when they preview the file. Details frontend/src/views/files/Preview.vue passes allowScriptedContent: true to the...

EUVD-2026-16038

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, a stored cross-site scripting vulnerability in the CCDA document preview allows an attacker who can upload or send a CCDA document to execute arbitrary JavaScript in ...

WordPress Master Addons for Elementor Premium plugin <= 2.1.3 - Authenticated (Subscriber+) Remote Code Execution via render_preview vulnerability

Authenticated Subscriber+ Remote Code Execution via renderpreview vulnerability discovered by Ren Voza in WordPress Plugin Master Addons for Elementor Premium versions = 2.1.3...

EUVD-2026-9263

Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. Prior to version 0.28.8, an uncaught exception was found in Exiv2. The vulnerability is in the preview component, which is only triggered when running Exiv2 with an extra...

CVE-2026-1466 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Jirafeau

Jirafeau normally prevents browser preview for text files due to the possibility that for example SVG and HTML documents could be exploited for cross site scripting. This was done by storing the MIME type of a file and allowing only browser preview for MIME types beginning with image except for...

CVE-2026-22804

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. From 1.7.0 to 1.9.0, Stored Cross-Site Scripting XSS vulnerability exists in the Termix File Manager component. The application fails to sanitize SVG file content before rendering it. Thi...

CVE-2021-41236

OroPlatform is a PHP Business Application Platform. In affected versions the email template preview is vulnerable to XSS payload added to email template content. An attacker must have permission to create or edit an email template. For successful payload, execution the attacked user must preview ...

CVE-2023-43658

dicourse-calendar is a plugin for the Discourse messaging platform which adds the ability to create a dynamic calendar in the first post of a topic. Improper escaping of event titles could lead to Cross-site Scripting XSS within the 'email preview' UI when a site has CSP disabled. Having CSP...

EUVD-2016-2052

Malware in sbrugna...

EUVD-2020-2709

Malware in sbrugna...

EUVD-2014-3555

Malware in sbrugna...

EUVD-2016-1411

Malware in sbrugna...

EUVD-2023-2734

Malicious code in bioql PyPI...

EUVD-2022-0153

Malicious code in bioql PyPI...

EUVD-2023-43653

Malicious code in bioql PyPI...

EUVD-2025-20172

Malicious code in bioql PyPI...

EUVD-2024-40271

Malicious code in bioql PyPI...

CVE-2025-50733

NextChat contains a cross-site scripting XSS vulnerability in the HTMLPreview component of artifacts.tsx that allows attackers to execute arbitrary JavaScript code when HTML content is rendered in the AI chat interface. The vulnerability occurs because user-influenced HTML from AI responses is...

CVE-2025-53181

Null pointer dereference vulnerability in the PDF preview module Impact: Successful exploitation of this vulnerability may affect function stability...