6657 matches found
PT-2026-20881
Name of the Vulnerable Software and Affected Versions Svelte versions prior to 5.51.5 Description A flaw exists in Svelte where, during server-side rendering, the tag name provided to the component is not validated or sanitized before being included in the HTML output. This can lead to HTML...
PT-2026-20592
Name of the Vulnerable Software and Affected Versions Web Accessibility by accessiBe versions up to and including 2.11 Description The Web Accessibility by accessiBe plugin for WordPress is susceptible to exposure of sensitive information. This occurs because the accessibe render js in footer...
CVE-2025-55853
SoftVision webPDF before 10.0.2 is vulnerable to Server-Side Request Forgery SSRF. The PDF converter function does not check if internal or external resources are requested in the uploaded files and allows for protocols such as http:// and file:///. This allows an attacker to upload an XML or HTM...
PT-2026-20917
Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.7.0 Description Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Modifying chat history before version 0.7.0 allows manipulation of the html property within...
PT-2026-21305
Name of the Vulnerable Software and Affected Versions Svelte versions 5.39.3 through 5.51.4 Description Svelte is susceptible to a flaw where, under specific conditions, the server-side rendering of an element fails to properly escape its content. This can lead to potential HTML injection within...
Cross-site Scripting (XSS)
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Cross-site Scripting XSS via the rendering process of assistant identity values into an inline tag without proper escaping. An attacker can execute arbitrary JavaScript in the Control UI ...
CVE-2026-27177
MajorDoMo aka Major Domestic Module contains a stored cross-site scripting XSS vulnerability via the /objects/?op=set endpoint, which is intentionally unauthenticated for IoT device integration. User-supplied property values are stored raw in the database without sanitization. When an administrat...
KLA90896 Multiple vulnerabilities in Google Chrome
Multiple vulnerabilities were found in Google Chrome. Malicious users can exploit these vulnerabilities to cause denial of service, execute arbitrary code. Below is a complete list of vulnerabilities: 1. Heap buffer overflow vulnerability in PDFium can be exploited to cause denial of service. 2...
MajorDoMo 跨站脚本漏洞
MajorDoMo is an open-source DIY smart home automation platform developed by the MajorDoMo community. MajorDoMo has a cross-site scripting vulnerability. This vulnerability stems from the /objects/?method endpoint, which allows unvalidated execution of stored methods. The parameters controlled by...
PT-2026-20513
Name of the Vulnerable Software and Affected Versions MajorDoMo versions affected versions not specified Description MajorDoMo contains a stored cross-site scripting XSS issue through the /objects/?op=set API endpoint. This endpoint is intentionally unauthenticated for integration with IoT device...
EUVD-2026-6097
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when name is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained two security-relevant bugs: It was possible to exfiltrate information...
pretix unsafely evaluates variables in emails
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when name is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained two security-relevant bugs: - It was possible to exfiltrate informati...
CVE-2026-26188
Solspace Freeform plugin for Craft CMS 5.x is a super flexible form-building tool. An authenticated, low-privilege user able to create/edit forms can inject arbitrary HTML/JS into the Craft Control Panel CP builder and integrations views. User-controlled form labels and integration metadata are...
Cross-site Scripting (XSS)
Overview beautiful-mermaid is a Render Mermaid diagrams as beautiful SVGs or ASCII art. Ultra-fast, fully themeable, zero DOM dependencies. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the interpolation of user-controlled values from style and classDef directiv...
SUSE CVE-2025-41117
Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. Only datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo ...
beautiful-mermaid 跨站脚本漏洞
Beautiful-Mermaid is a visualization AI assistant tool developed by Craft Docs. Versions of Beautiful-Mermaid prior to 0.1.3 had a cross-site scripting vulnerability. This vulnerability stemmed from an SVG attribute injection issue, which could lead to cross-site scripting attacks when rendering...
n8n Node.js Package < 1.123.9 / 2.x < 2.2.1 Stored XSS (CVE-2026-25054)
The version of the n8n Node.js Package installed on the remote host is prior to 1.123.9, or 2.x prior to 2.2.1. It is, therefore, affected by a stored cross-site scripting vulnerability: - A cross-site scripting XSS vulnerability existed in a markdown rendering component used in n8n's interface,...
next-mdx-remote affected by arbitrary code execution in React server-side rendering of untrusted MDX content
The serialize function used to compile MDX in next-mdx-remote is vulnerable to arbitrary code execution due to insufficient sanitization of MDX content...
GHSA-G4XW-JXRG-5F6M next-mdx-remote affected by arbitrary code execution in React server-side rendering of untrusted MDX content
The serialize function used to compile MDX in next-mdx-remote is vulnerable to arbitrary code execution due to insufficient sanitization of MDX content...
Arbitrary Code Injection
Overview next-mdx-remote is an utilities for loading mdx from any remote source as data, rather than as a local import Affected versions of this package are vulnerable to Arbitrary Code Injection via the serialize function. An attacker can execute arbitrary code by submitting specially crafted MD...