70 matches found
CVE-2026-27737
BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.19, the recording playback presentation format was not sanitizing user's input in public chat. This allowed for a malicious actor to craft and carry out a targeted XSS attack, activated on anyone replaying the recording...
CVE-2026-39422
MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting XSS vulnerability through the application name or icon fields when creating an application. When a victim visits the public chat interface /ui/chat/accesstoken, the...
CVE-2026-27737
BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.19, the recording playback presentation format was not sanitizing user's input in public chat. This allowed for a malicious actor to craft and carry out a targeted XSS attack, activated on anyone replaying the recording...
CVE-2026-27737
BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.19, the recording playback presentation format was not sanitizing user's input in public chat. This allowed for a malicious actor to craft and carry out a targeted XSS attack, activated on anyone replaying the recording...
EUVD-2026-30811
BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.19, the recording playback presentation format was not sanitizing user's input in public chat. This allowed for a malicious actor to craft and carry out a targeted XSS attack, activated on anyone replaying the recording...
CVE-2026-27737
CVE-2026-27737 affects BigBlueButton prior to version 3.0.19 . The issue arises in the recording playback (presentation format) where user input in the public chat was not sanitized, enabling a targeted XSS attack when replaying the recording. Root cause: missing input sanitization in the bbb-pla...
CVE-2026-27737 BigBlueButton has Stored XSS in bbb-playback replay
BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.19, the recording playback presentation format was not sanitizing user's input in public chat. This allowed for a malicious actor to craft and carry out a targeted XSS attack, activated on anyone replaying the recording...
CVE-2026-27737 BigBlueButton has Stored XSS in bbb-playback replay
BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.19, the recording playback presentation format was not sanitizing user's input in public chat. This allowed for a malicious actor to craft and carry out a targeted XSS attack, activated on anyone replaying the recording...
BigBlueButton 跨站脚本漏洞
BigBlueButton is an open-source web conferencing system developed by the BigBlueButton community. Versions of BigBlueButton prior to 3.0.19 contained a cross-site scripting vulnerability. This vulnerability stemmed from the failure to clean up user input in public chat areas during recording and...
PT-2026-41738
Name of the Vulnerable Software and Affected Versions BigBlueButton versions prior to 3.0.19 Description Recording playback in presentation format fails to sanitize user input within the public chat. This allows a malicious actor to execute a targeted Cross-Site Scripting XSS attack—a technique...
CVE-2026-41266
Flowise CVE-2026-41266 affects Flowise (drag-and-drop LLM workflow UI). Before version 3.1.0, GET/unauthenticated access to /api/v1/public-chatbotConfig/:id exposes sensitive data (API keys, HTTP Authorization headers, and internal configuration) without authentication. An attacker who only knows...
Flowise 访问控制错误漏洞
Flowise is an open-source tool developed by FlowiseAI, designed for easily building LLM applications. Prior versions of Flowise, up to 3.1.0, contained a access control vulnerability. This vulnerability stemmed from an authentication bypass exploit, allowing unauthenticated attackers to obtain...
PT-2026-34731
Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.0 Description The '/api/v1/public-chatbotConfig/:id' endpoint exposes sensitive data without requiring authentication. An attacker who possesses a chatflow UUID can retrieve internal configuration, HTTP...
CVE-2026-39422
MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting XSS vulnerability through the application name or icon fields when creating an application. When a victim visits the public chat interface /ui/chat/accesstoken, the...
CVE-2026-39422
MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting XSS vulnerability through the application name or icon fields when creating an application. When a victim visits the public chat interface /ui/chat/accesstoken, the...
CVE-2026-39422 MaxKB has Stored XSS via ChatHeadersMiddleware
MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting XSS vulnerability through the application name or icon fields when creating an application. When a victim visits the public chat interface /ui/chat/accesstoken, the...
EUVD-2026-22182
MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting XSS vulnerability through the application name or icon fields when creating an application. When a victim visits the public chat interface /ui/chat/accesstoken, the...
CVE-2026-39422
MaxKB vulnerability CVE-2026-39422 is a Stored XSS in versions 2.7.1 and earlier, triggered via the application name or icon fields when creating an application. When users visit the public chat interface (/ui/chat/{access_token}), ChatHeadersMiddleware retrieves application data and directly ins...
CVE-2026-39422 MaxKB has Stored XSS via ChatHeadersMiddleware
MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting XSS vulnerability through the application name or icon fields when creating an application. When a victim visits the public chat interface /ui/chat/accesstoken, the...
PT-2026-32576
MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting XSS vulnerability through the application name or icon fields when creating an application. When a victim visits the public chat interface /ui/chat/access token, the...