Lucene search
K

1226 matches found

RustSec
RustSec
added 6 days ago7 views

mXSS in ammonia via MathML `annotation-xml` encoding strip

If a certain set of MathML tags are enabled, an attacker can inject arbitrary JavaScript code into the user's browser. The annotation-xml tag has slightly different behavior than the other "integration point" tags in MathML and SVG, but ammonia didn't handle it, so it didn't correctly strip the...

6AI score
Exploits0Affected Software1
OSV
OSV
added 6 days ago6 views

RUSTSEC-2026-0193 mXSS in ammonia via MathML `annotation-xml` encoding strip

If a certain set of MathML tags are enabled, an attacker can inject arbitrary JavaScript code into the user's browser. The annotation-xml tag has slightly different behavior than the other "integration point" tags in MathML and SVG, but ammonia didn't handle it, so it didn't correctly strip the...

6AI score
Exploits0References2
Cvelist
Cvelist
added 2026/06/26 6:0 a.m.37 views

CVE-2026-10835 SALESmanago & Leadoo < 3.11.3 - Subscriber+ SQL Injection

The SALESmanago & Leadoo WordPress plugin before 3.11.3 does not properly sanitise and escape a parameter passed to one of its AJAX actions before using it in a SQL statement, and fails to enforce authorisation on that action, allowing authenticated users with minimal permissions, such as...

0.00215EPSS
Exploits0References1
NVD
NVD
added 2026/06/26 2:16 a.m.7 views

CVE-2026-50740

A missing sanitisation vulnerability of user input in the zone-include.php script exists in Revive Adserver 6.0.7 and earlier. A low‑privileged user could exploit the refresh parameter of the iFrame invocation tag to perform reflected XSS attacks...

6.1CVSS0.00222EPSS
Exploits0References1
NVD
NVD
added 2026/06/26 2:16 a.m.10 views

CVE-2026-50745

A missing sanitisation vulnerability exists with user input in the stats-video.php script. The way URLs to this script were constructed did not follow best practices, and the output of the Smarty custom helper function url was neither properly encoded nor sanitised, allowing user‑supplied input t...

6.1CVSS0.00224EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/26 1:11 a.m.8 views

EUVD-2026-39604

A missing sanitisation vulnerability of user input in the zone-include.php script exists in Revive Adserver 6.0.7 and earlier. A low‑privileged user could exploit the refresh parameter of the iFrame invocation tag to perform reflected XSS attacks...

6.1CVSS6.3AI score0.00222EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/26 1:11 a.m.35 views

CVE-2026-50745

A missing sanitisation vulnerability exists with user input in the stats-video.php script. The way URLs to this script were constructed did not follow best practices, and the output of the Smarty custom helper function url was neither properly encoded nor sanitised, allowing user‑supplied input t...

4.7CVSS0.00224EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/26 1:11 a.m.8 views

EUVD-2026-39605

A missing sanitisation vulnerability exists with user input in the stats-video.php script. The way URLs to this script were constructed did not follow best practices, and the output of the Smarty custom helper function url was neither properly encoded nor sanitised, allowing user‑supplied input t...

4.7CVSS5.8AI score0.00224EPSS
Exploits0References1
CVE
CVE
added 2026/06/26 1:11 a.m.13 views

CVE-2026-50745

CVE-2026-50745 concerns Revive Adserver’s stats-video.php where user input is reflected due to missing sanitisation and unencoded URL parameters, arising from improper handling of the Smarty url helper. The HackerOne report confirms a reflected XSS vector in this script. No exploitation status or...

6.1CVSS5.8AI score0.00224EPSS
Exploits0References1Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/26 12:0 a.m.10 views

PT-2026-52652

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description A missing sanitisation issue exists in the stats-video.php script. The construction of URLs to this script does not follow best practices, and the output of the...

6.1CVSS5.7AI score0.00224EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/06/26 12:0 a.m.11 views

PT-2026-52648

Name of the Vulnerable Software and Affected Versions Revive Adserver versions prior to 6.0.8 Description Insufficient sanitization of user input in the 'zone-include.php' script allows a low-privileged user to execute reflected Cross-Site Scripting XSS attacks. This occurs through the refresh...

6.1CVSS6.5AI score0.00222EPSS
Exploits0References7
NVD
NVD
added 2026/06/23 9:17 p.m.6 views

CVE-2026-47383

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated commenter could store HTML in row comments that executed as script when other users hovered over the comment in the expanded form view. The comment write paths persisted the raw comment body with no...

7.4CVSS0.00288EPSS
Exploits0References1
NVD
NVD
added 2026/06/23 5:16 p.m.6 views

CVE-2026-34914

A missing sanitisation of user input in the zone-include.php script of Revive Adserver 6.0.6 and earlier. A low‑privileged user could exploit the clientid parameter to perform blind SQL injection attacks. Input sanitisation has been improved to ensure that all parameters processed by the script a...

8.3CVSS0.00298EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/06/23 4:14 p.m.29 views

CVE-2026-34915

A missing sanitisation of user input in the zone-include.php script of Revive Adserver 6.0.6 and earlier could allow a low‑privileged user to exploit the clientid parameter to perform blind SQL injection attacks. Input sanitisation has been improved to ensure that all parameters processed by the...

6.1CVSS0.00217EPSS
Exploits1References1
EUVD
EUVD
added 2026/06/23 4:14 p.m.6 views

EUVD-2026-38500

A missing validation of user input exists when saving delivery limitations in Revive Adserver 6.0.6 and earlier. A low‑privileged user could add an unexpected component parameter and inject malicious PHP code into the compiledlimitations field, which would then be executed during banner delivery...

8.8CVSS6.6AI score0.0045EPSS
Exploits1References1
CVE
CVE
added 2026/06/23 4:14 p.m.19 views

CVE-2026-44959

CVE-2026-44959 affects Revive Adserver up to version 6.0.6. The issue is a missing validation of user input when saving delivery limitations, allowing a low-privileged user to add an unexpected component parameter and inject malicious PHP into the compiledlimitations field, which could be execute...

8.8CVSS6.6AI score0.0045EPSS
Exploits1References1
CVE
CVE
added 2026/06/23 4:14 p.m.18 views

CVE-2026-34914

This CVE is confirmed: Revive Adserver

8.3CVSS6.6AI score0.00298EPSS
Exploits1References1
EUVD
EUVD
added 2026/06/23 4:14 p.m.9 views

EUVD-2026-38499

A missing sanitisation of user input in the zone-include.php script of Revive Adserver 6.0.6 and earlier could allow a low‑privileged user to exploit the clientid parameter to perform blind SQL injection attacks. Input sanitisation has been improved to ensure that all parameters processed by the...

6.1CVSS6.2AI score0.00217EPSS
Exploits1References1
CVE
CVE
added 2026/06/23 4:14 p.m.10 views

CVE-2026-44960

Vulnerability summary (CVE-2026-44960) : A stored XSS exists in Revive Adserver where malicious content placed in the username could be executed when an admin views audit log details, due to missing output sanitisation. The issue is triggered by usernames being displayed in the audit log details ...

5.7AI score0.00339EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/23 4:14 p.m.31 views

CVE-2026-34914

A missing sanitisation of user input in the zone-include.php script of Revive Adserver 6.0.6 and earlier. A low‑privileged user could exploit the clientid parameter to perform blind SQL injection attacks. Input sanitisation has been improved to ensure that all parameters processed by the script a...

8.3CVSS0.00298EPSS
Exploits1References1
Rows per page
Query Builder