1162 matches found
Amazon Linux 2 : thunderbird, --advisory ALAS2-2026-3198 (ALAS-2026-3198)
The version of thunderbird installed on the remote host is prior to 140.8.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3198 advisory. Incorrect boundary conditions in the WebRTC: Audio/Video component. This vulnerability affects Firefox 148, Firefox...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the renderREADME process. An attacker can execute arbitrary JavaScript and achieve remote code execution by submitting a malicious package containing crafted HTML or Markdown in the README, which is rendered...
CVE-2025-62320
HTML Injection can be carried out in Product when a web application does not properly check or clean user input before showing it on a webpage. Because of this, an attacker may insert unwanted HTML code into the page. When the browser loads the page, it may automatically interact with external...
CVE-2026-32261
Webhooks for Craft CMS plugin adds the ability to manage “webhooks” in Craft CMS, which will send GET or POST requests when certain events occur. From version 3.0.0 to before version 3.2.0, the Webhooks plugin renders user-supplied template content through Twig’s renderString function without...
PT-2026-25802
Webhooks for Craft CMS plugin adds the ability to manage “webhooks” in Craft CMS, which will send GET or POST requests when certain events occur. From version 3.0.0 to before version 3.2.0, the Webhooks plugin renders user-supplied template content through Twig’s renderString function without...
CVE-2026-32704
SiYuan is a personal knowledge management system. Prior to 3.6.1, POST /api/template/renderSprig lacks model.CheckAdminRole, allowing any authenticated user to execute arbitrary SQL queries against the SiYuan workspace database and exfiltrate all note content, metadata, and custom attributes. Thi...
EUVD-2026-11484
A vulnerability was identified in Jcharis Machine-Learning-Web-Apps up to a6996b634d98ccec4701ac8934016e8175b60eb5. The impacted element is the function rendertemplate of the file Machine-Learning-Web-Apps-master/Build-n-Deploy-Flask-App-with-Waypoint/app/app.py of the component Jinja2 Template...
CVE-2026-3962 Jcharis Machine-Learning-Web-Apps Jinja2 Template app.py render_template cross site scripting
A vulnerability was identified in Jcharis Machine-Learning-Web-Apps up to a6996b634d98ccec4701ac8934016e8175b60eb5. The impacted element is the function rendertemplate of the file Machine-Learning-Web-Apps-master/Build-n-Deploy-Flask-App-with-Waypoint/app/app.py of the component Jinja2 Template...
CVE-2026-3962 Jcharis Machine-Learning-Web-Apps Jinja2 Template app.py render_template cross site scripting
A vulnerability was identified in Jcharis Machine-Learning-Web-Apps up to a6996b634d98ccec4701ac8934016e8175b60eb5. The impacted element is the function rendertemplate of the file Machine-Learning-Web-Apps-master/Build-n-Deploy-Flask-App-with-Waypoint/app/app.py of the component Jinja2 Template...
SUSE CVE-2025-14435
Mattermost versions 10.11.x = 10.11.8, 11.1.x = 11.1.1, 11.0.x = 11.0.6 fail to prevent infinite re-renders on API errors which allows authenticated users to cause application-level DoS via triggering unbounded component re-render loops...
Machine-Learning-Web-Apps 代码注入漏洞
Machine-Learning-Web-Apps is a machine learning web application development framework developed by JCharis Jesse. There is a code injection vulnerability in Machine-Learning-Web-Apps, which stems from an incorrect operation on the rendertemplate function in the Jinja2 Template Handler component o...
PT-2026-24891
A vulnerability was identified in Jcharis Machine-Learning-Web-Apps up to a6996b634d98ccec4701ac8934016e8175b60eb5. The impacted element is the function render template of the file Machine-Learning-Web-Apps-master/Build-n-Deploy-Flask-App-with-Waypoint/app/app.py of the component Jinja2 Template...
EUVD-2026-10873
liquidjs is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.0, the layout, render, and include tags allow arbitrary file access via absolute paths either as string literals or through Liquid variables, the latter require dynamicPartials: true, which is the...
CVE-2026-30952 liquidjs has a path traversal fallback vulnerability
liquidjs is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.0, the layout, render, and include tags allow arbitrary file access via absolute paths either as string literals or through Liquid variables, the latter require dynamicPartials: true, which is the...
CVE-2026-30952 liquidjs has a path traversal fallback vulnerability
liquidjs is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.0, the layout, render, and include tags allow arbitrary file access via absolute paths either as string literals or through Liquid variables, the latter require dynamicPartials: true, which is the...
EUVD-2026-10713
RenderBlocking is a MediaWiki extension that allows interface administrators to specify render-blocking CSS and JavaScript. Prior to 0.1.1, there is Stored XSS in renderblocking-css with Inline Assets mode. $wgRenderBlockingInlineAssets = true and editsitecss user rights are required. This...
CVE-2026-30977
RenderBlocking is a MediaWiki extension that allows interface administrators to specify render-blocking CSS and JavaScript. Prior to 0.1.1, there is Stored XSS in renderblocking-css with Inline Assets mode. $wgRenderBlockingInlineAssets = true and editsitecss user rights are required. This...
EUVD-2026-10714
RenderBlocking is a MediaWiki extension that allows interface administrators to specify render-blocking CSS and JavaScript. Prior to 0.1.1, there is Stored XSS in renderblocking-css with Inline Assets mode. $wgRenderBlockingInlineAssets = true and editsitecss user rights are required. This...
liquidjs has a path traversal fallback vulnerability
Impact The layout, render, and include tags allow arbitrary file access via absolute paths either as string literals or through Liquid variables, the latter require dynamicPartials: true, which is the default. This poses a security risk when malicious users are allowed to control the template...
GHSA-WMFP-5Q7X-987X liquidjs has a path traversal fallback vulnerability
Impact The layout, render, and include tags allow arbitrary file access via absolute paths either as string literals or through Liquid variables, the latter require dynamicPartials: true, which is the default. This poses a security risk when malicious users are allowed to control the template...