CVE-2026-31898 jsPDF has a PDF Object Injection via FreeText color

jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of arguments of the createAnnotation method allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to the following method, a user can inje...

PT-2025-53684

Name of the Vulnerable Software and Affected Versions itsourcecode Online Cake Ordering System version 1.0 Description A SQL injection issue exists in itsourcecode Online Cake Ordering System 1.0. The manipulation of the ID argument in the /detailtransac.php file can lead to SQL injection. This...

MCP Watch has a Critical Command Injection in cloneRepo allows Remote Code Execution (RCE) via malicious URL

Summary The MCPScanner class contains a critical Command Injection vulnerability in the cloneRepo method. The application passes the user-supplied githubUrl argument directly to a system shell via execSync without sanitization. This allows an attacker to execute arbitrary commands on the host...

Moodle 4.3.x < 4.3.4 Multiple Vulnerabilities

According to its self-reported version, the Moodle install hosted on the remote host is 4.3.x prior to 4.3.4. It is, therefore, affected by multiple vulnerabilities. - Insufficient checks whether ReCAPTCHA was enabled made it possible to bypass the checks on the login page. This did not affect...

GHSA-H697-W4PH-7PCX Moodle has a stored XSS in ddimageortext question type

The drag-and-drop onto image ddimageortext question type required additional sanitizing to prevent a stored XSS risk...

PhpSpreadsheet allows unauthorized Reflected XSS in the Accounting.php file

Unauthorized Reflected XSS in the Accounting.php file Product: Phpspreadsheet Version: version 3.6.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' CVSS vector v.3.1: 8.2 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N CVSS vector v.4.0: 8.3...

kernel: vmci: prevent speculation leaks by sanitizing event in event_deliver()

A vulnerability was found in the eventdeliver function in the Linux kernel's VMCI component, where the issue involves a lack of sanitization for the eventdata.event index controlled by user-space, which could lead to speculative information leaks...

PT-2024-30253 · Zzcms · Zzcms

Name of the Vulnerable Software and Affected Versions: ZZCMS versions 2023 and earlier Description: A reflected cross-site scripting XSS issue exists due to the direct insertion of the HTTP REFERER header value into the HTML response without proper sanitization in the user/login.php file at line...

PT-2024-20883 · Code Projects · Code-Projects Hotel Managment System

Name of the Vulnerable Software and Affected Versions: Code-projects Hotel Managment System version 1.0 Description: The issue allows SQL Injection via the sid parameter in the "Hotel/admin/show.php?sid=2" endpoint. This means an attacker could potentially inject malicious SQL code by manipulatin...

PT-2022-14121 · Kubevirt +1 · Kubevirt +1

Name of the Vulnerable Software and Affected Versions: KubeVirt versions up to 0.56 KubeVirt version 0.55.1 Description: A path traversal vulnerability in KubeVirt allows a user able to configure the kubevirt to read arbitrary files on the host filesystem which are publicly readable or which are...

PT-2022-10654 · Unknown · Jquery File Upload

Name of the Vulnerable Software and Affected Versions: jQuery-Upload-File version 4.0.11 Description: A cross-site scripting XSS issue exists due to a vulnerability in the fileNameStr parameter, allowing attackers to execute arbitrary web scripts or HTML via a crafted file with a Javascript paylo...